I'm running FWSM v3.2(2). I have an allow icmp any any configured that I'm allowing my intra-net folks to ping inbound. I have a question and a scenario.
does icmp any any, really mean ANY type/code of icmp?
i've ran into an issue with my edge router.
The MTU size is set to 1400 on the edge. If a server initiates an icmp packet with a "dont frag" flag, (doing it for path mtu test) the edge sends it back to the firewall advising the packets must be fragmented (due to the mtu 1400)
heres the catch, the firewall realizing the packet was destined to a remote location and not directly to the edge router, is dropping the packet with a "no matching session"...which of course makes sense, since the destination in the original packet wasnt the router.
I'm wondering how I allow the traffic back to the source (server) when the router grabs the packet and says, "you cant move forward due to MTU 1400" and shoots it back to the firewall?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...