https://community.cisco.com/t5/network-security/asa-not-allowing-return-traffic-without-acl/m-p/2116779#M394028 <HTML><HEAD></HEAD><BODY><P>Just an assumption: You only test it with ICMP ping instead of "real" traffic and you don't have the ICMP-inspection active?<BR /><BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Mon, 17 Dec 2012 20:28:40 GMT Karsten Iwen 2012-12-17T20:28:40Z https://community.cisco.com/t5/network-security/asa-not-allowing-return-traffic-without-acl/m-p/2116777#M394001 <P>Hi,</P><P></P><P>I am facing a problem with the ASA. </P><P></P><P>I have one of my internal hosts hide NATed to go directly to the internet. I have a policy and NAT created on the inside interface and I can see that NAT is happening in the Xlate table. Also, in the logs the traffic is allowed through. But, the access form the host is just not working. </P><P></P><P>However, as part of troubleshooting I created an accesslist on the outside interface to allow the return traffic specifically. Then it started working. It seems strange that the return traffic should ideally work fine. </P><P></P><P>I would really appreciate if anyone could help me with this.</P><P></P><P>Regards,</P><P>Faiz</P> Tue, 12 Mar 2019 00:37:47 GMT https://community.cisco.com/t5/network-security/asa-not-allowing-return-traffic-without-acl/m-p/2116777#M394001 ahamadfaiz 2019-03-12T00:37:47Z https://community.cisco.com/t5/network-security/asa-not-allowing-return-traffic-without-acl/m-p/2116778#M394020 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can you share the configurations related to this case?</P><P></P><P>I would think if the traffic coming from the remote end is part of the already formed connection it should get through automatically. On the other hand if its a totally new formed connection by the remote host then it will need the ACL statement.</P><P></P><P>Though there is exceptions like FTP where the remote end might initiate the data connection to random port and there the "inspect ftp" (to my understanding) is keeping track of the connections and allows the remote hosts connections.</P><P></P><P>Might be also good to get some logs of the failed/succesfull attempt and copy/paste them here.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 17 Dec 2012 08:53:03 GMT https://community.cisco.com/t5/network-security/asa-not-allowing-return-traffic-without-acl/m-p/2116778#M394020 Jouni Forss 2012-12-17T08:53:03Z https://community.cisco.com/t5/network-security/asa-not-allowing-return-traffic-without-acl/m-p/2116779#M394028 <HTML><HEAD></HEAD><BODY><P>Just an assumption: You only test it with ICMP ping instead of "real" traffic and you don't have the ICMP-inspection active?<BR /><BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Mon, 17 Dec 2012 20:28:40 GMT https://community.cisco.com/t5/network-security/asa-not-allowing-return-traffic-without-acl/m-p/2116779#M394028 Karsten Iwen 2012-12-17T20:28:40Z https://community.cisco.com/t5/network-security/asa-not-allowing-return-traffic-without-acl/m-p/2116780#M394037 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>Thank you for the suggestions and sorry for the delayed response. </P><P></P><P>It was pretty silly. Enabled ICMP inspection and it worked. </P><P></P><P>Thanx again.</P><P>Cheers</P><P>Faiz</P></BODY></HTML> Sun, 23 Dec 2012 14:26:53 GMT https://community.cisco.com/t5/network-security/asa-not-allowing-return-traffic-without-acl/m-p/2116780#M394037 ahamadfaiz 2012-12-23T14:26:53Z