Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

One-way connections

Hi,

Is it possible with the ASA5500 to allow only connections initiated only from one side (e.g. inside)? No NAT involved!

Thanks.

Gabi

4 REPLIES

Re: One-way connections

Hello Gabi,

Sure, this is what firewalls are built for primarily. By default, traffic from an interface with a higher security level (inside with 100) is permitted to interface with lower security level (outside with 0). Only return traffic is allowed.

Regards

New Member

Re: One-way connections

Sorry for my ignorance but I'm trying to understand this :)

Of course, you're right. Still, I'm having trouble returning the traffic.

I'm pinging from a machine behind inside interface (100) to a maching behind outside (0). I'm sniffing the traffic on the outside and I see the ping request being received and the ping reply being sent. Still, the ASA is denying the ping reply to come back:

%ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst

interface_name: IP_address (type dec, code dec)

Thanks.

Gabi

New Member

Re: One-way connections

...and here's my answer, I didn't see it becouse of my nose :) :

The security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.

Gabi

Re: One-way connections

Gabi,

Its not your fault actually. "By default, all ICMP packets are denied access unless specifically permitted. "

A better way of saying this is "By default, ASA does not inspect ICMP traffic to permit the return traffic"

So add the following

policy-map global_policy

class inspection_default

inspect icmp

You can not benefit from the Stateful firewall so it lets the return traffic if you dont tell it to inspect the state of specific traffic or protocol.

Regards

148
Views
0
Helpful
4
Replies