08-30-2010 05:53 PM - edited 03-11-2019 11:32 AM
Hi Guys,
I have a rule from inside interface (security 100) to ping a server on a DMZ interface (secuirty 40). But I dont have the same rule other way around (from dmz to inside). When I do a ping the return ping packet from DMZ interface is dropped by the firewall.
Any idea why? Do I really need a rule for return ping traffic as well.
Tks
Solved! Go to Solution.
08-30-2010 06:03 PM
Hello,
What code version you are running? With ICMP packet in each direction is
treated as a separate flow. If you have not enabled ICMP inspection (or icmp
fixup) then the firewall will drop the return icmp traffic. In that case,
you need to exclusively allow return ICMP traffic through access-lists.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918
6a0080094e8a.shtml
Hope this helps.
Regards,
NT
08-30-2010 06:03 PM
Hello,
What code version you are running? With ICMP packet in each direction is
treated as a separate flow. If you have not enabled ICMP inspection (or icmp
fixup) then the firewall will drop the return icmp traffic. In that case,
you need to exclusively allow return ICMP traffic through access-lists.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918
6a0080094e8a.shtml
Hope this helps.
Regards,
NT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: