Just to clarify... so from what you are saying, if my from-internet access-list has a policy to permit inbound ICMP echos (not that I would, but just hypothetically...) from the Internet to my inside network, then I don't need an explicit policy on my access-list from-inside to permit the ICMP echo reply, since the default inspection for ICMP would take care of this. Additionally, whilst the ASA allows the return traffic from the inside for the ICMP echo, the IPS will also inspect the traffic on ingress from the Internet to ensure it does not violate any signatures. Is that right? So to summarise what Ihe steps/process that I am wanting to confirm:
* ICMP echo request packet from Internet to inside
* Allowed via ACL from-internet
* Temporarily allow traffic on from-inside ACL for ICMP echo reply
* Redirect packet to IPS
* IPS inspects etc... if it does not match block/deny signature, forward onto server on inside
* Server on inside replies with ICMP echo reply
* Echo reply hits the ASA and is permitted through the temporary session built via the Application Inspection engine
You are right with the statement, if you are allowing echo from internet to inside, then the return traffic from inside to internet (echo reply) does not need to be explicitly allowed as ASA is a stateful firewall, and it will allow the return traffic automatically. Your bullet points are spot on too.. looks correct.
I know this has been answered, but I have a related question. Would passing traffic to the IPS from outside to in also work if the traffic was coming out of a VPN tunnel terminated on the ASA? Assuming you applied the IPS policy to the outside interface like the original posters question.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...