I'm having a problem with the established connections through an ASA 5540 firewall.
The scenario contains two interfaces, outside and inside.
I want to allow navigation and ICMP connection from hosts from the inside with a NAT configured public IP on the outside interface, to internet sites.
So, once configured the NAT rule, I configured the security policy to allow ICMP from the outside, and navigation only to the inside hosts I want to allow.
The problem is that I have to create TWO rules instead of one, in order to allow any connections between hosts in the inside and the outside, one from inside host/net to the outside, and the opposite one.
It is supposed that connectivity from interfaces with higher priority to lower priority is allowed, so it should be only neccesary to configure the rule from the lower to the higher priority interface.
For TCP/UDP etc you only need to allow it in the higher security interface (if you have defined a custom ACL on the inside interface). Otherwise by default ALL traffic from higher-sec >> loser-sec will be allowed, this includes all the return traffic. But this is not valid for ICMP. For ICMP you need to allow it on the outside interface or enable 'ICMP Inspection' in the global policy-map (The latter is the preferred option).
Are you getting any hits on the outside interface ACL for non-icmp traffic (the second line)? You can check this via show access-list
I think you are looking at the wrong syslog. This message could also come because the connection timed out on the PIX/ASA and the Intranet host keeps sending data for the same session thinking its still valid.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :