topic is ASA Stateless? in Network Security

is ASA Stateless?

aehtibarov — Wed, 17 Feb 2021 15:06:54 GMT

I Have asa 5508 with firepower module. Trafik goes inside to outside, Pat is active, and when respond came back to firewall, firewall drops it. I added acl to outside interface in. It worked. Is ASA stateless or does firepower module block it ?

Re: is ASA Stateless?

Karsten Iwen — Wed, 17 Feb 2021 16:08:57 GMT

The ASA is a stateful firewall. Through configuration you can force a stateless operation, but this is typically not done.

Without any more information it is hard to tell what dropped the traffic. But this is what my crystal ball says:

You are testing with a PING. The statefully inspected protocols are only TCP and UDP, ICMP by default is not. The moment you test with "real" traffic it will work. For ICMP you can use the following command to make that also stageful:

fixup protocol icmp

Re: is ASA Stateless?

rafail.sharifov — Thu, 18 Feb 2021 06:14:32 GMT

@Karsten Iwen Thank you,. it was really helpfull. The actual problem was routing. The packet that coming back to outside once untranslate and shows route to outside)).

fixup protocol icmp 
helped me to check ping result from other source