Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unsure of how exactly an ASA inspects traffic

I am running a virtual ASA setup in GNS3. Using a loopback interface, I have ASDM running on my laptop that is connecting into my ASA firewall.

I am trying to ping from 192.168.1.1 (dhcp assigned to PC1) in the "inside" zone, to 192.168.2.50 (server 2 in "dmz" zone - security level 50).

The topology is as follows (I blocked out the made-up public range I'm using so as not to involk a real-life user somewhere - but that shouldn't matter in this scenario):

topology.png

I have left all of the access rules as default:

Access Rules.png

When I ping (the PCs are really VPCS machines) I can see that the ping gets through from "inside" to "dmz", but not BACK. I understand that going from security level 50 to 100 is not allowed - however I thought that the firewall would INSPECT the traffic and make sure that return traffic would be allowed if it was initiated from the "inside" zone.

logging.png

I'm not sure I'm reading these logs correctly. I can provide CLI output of the firewall if requested. I fairly sure this is something fundamental that I'm misunderstanding.

Can any help explain why my ping is failing? Thanks in advance

Everyone's tags (2)
3 REPLIES
Super Bronze

Unsure of how exactly an ASA inspects traffic

Hi,

Are you sure you have enable ICMP Inspection?

This is NOT enabled by default on the Cisco firewalls

You should add something like (if you are using the default inspections/configurations)

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

Alternative is to directly insert the old format commands that will apply the same configurations

fixup protocol icmp

fixup protocol icmp error

- Jouni

New Member

Unsure of how exactly an ASA inspects traffic

Unfortunately that didn't work. I have had to explicitly configure access rules allowing ICMP and DNS through:

I have literally only just started my journey into firewalls and I wanted to get this lab up and running as a starting point.

Based on what I learned in CCNA Security your suggestion seems to be correct. I'm sure I'm just applying it incorrectly because of my lack of understanding at this point.

Once I learn more and figure it out, I will come back and update this thread.

Thanks

Super Bronze

Unsure of how exactly an ASA inspects traffic

Hi,

Well there shouldnt be many things that cant prevent ICMP from working.

Maybe you can share you current configuration in CLI format for us to go through.

- Jouni

172
Views
0
Helpful
3
Replies
CreatePlease login to create content