https://community.cisco.com/t5/network-security/problems-with-stablished-in-asa-5540/m-p/1079706#M913778 <HTML><HEAD></HEAD><BODY><P>For TCP/UDP etc you only need to allow it in the higher security interface (if you have defined a custom ACL on the inside interface). Otherwise by default ALL traffic from higher-sec &gt;&gt; loser-sec will be allowed, this includes all the return traffic. But this is not valid for ICMP. For ICMP you need to allow it on the outside interface or enable 'ICMP Inspection' in the global policy-map (The latter is the preferred option).</P><P></P><P>Are you getting any hits on the outside interface ACL for non-icmp traffic (the second line)? You can check this via show access-list</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 29 Aug 2008 17:02:37 GMT Farrukh Haroon 2008-08-29T17:02:37Z https://community.cisco.com/t5/network-security/problems-with-stablished-in-asa-5540/m-p/1079704#M913774 <P>Hi all,</P><P></P><P>I'm having a problem with the established connections through an ASA 5540 firewall.</P><P>The scenario contains two interfaces, outside and inside.</P><P>I want to allow navigation and ICMP connection from hosts from the inside with a NAT configured public IP on the outside interface, to internet sites.</P><P>So, once configured the NAT rule, I configured the security policy to allow ICMP from the outside, and navigation only to the inside hosts I want to allow.</P><P>The problem is that I have to create TWO rules instead of one, in order to allow any connections between hosts in the inside and the outside, one from inside host/net to the outside, and the opposite one.</P><P></P><P>It is supposed that connectivity from interfaces with higher priority to lower priority is allowed, so it should be only neccesary to configure the rule from the lower to the higher priority interface.</P><P></P><P>Any help will be much appreciated. </P> Mon, 11 Mar 2019 13:37:34 GMT https://community.cisco.com/t5/network-security/problems-with-stablished-in-asa-5540/m-p/1079704#M913774 acotelcom 2019-03-11T13:37:34Z https://community.cisco.com/t5/network-security/problems-with-stablished-in-asa-5540/m-p/1079705#M913776 <HTML><HEAD></HEAD><BODY><P>Sounds like a NAT issue you have - post your config, removing sensitive info, IP's passwords etc.</P></BODY></HTML> Fri, 29 Aug 2008 13:40:49 GMT https://community.cisco.com/t5/network-security/problems-with-stablished-in-asa-5540/m-p/1079705#M913776 andrew.prince 2008-08-29T13:40:49Z https://community.cisco.com/t5/network-security/problems-with-stablished-in-asa-5540/m-p/1079706#M913778 <HTML><HEAD></HEAD><BODY><P>For TCP/UDP etc you only need to allow it in the higher security interface (if you have defined a custom ACL on the inside interface). Otherwise by default ALL traffic from higher-sec &gt;&gt; loser-sec will be allowed, this includes all the return traffic. But this is not valid for ICMP. For ICMP you need to allow it on the outside interface or enable 'ICMP Inspection' in the global policy-map (The latter is the preferred option).</P><P></P><P>Are you getting any hits on the outside interface ACL for non-icmp traffic (the second line)? You can check this via show access-list</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 29 Aug 2008 17:02:37 GMT https://community.cisco.com/t5/network-security/problems-with-stablished-in-asa-5540/m-p/1079706#M913778 Farrukh Haroon 2008-08-29T17:02:37Z https://community.cisco.com/t5/network-security/problems-with-stablished-in-asa-5540/m-p/1079707#M913780 <HTML><HEAD></HEAD><BODY><P>The first at all, thanks in advance.</P><P></P><P>My configuration is like in a PIX, where i need to open with a ACL the traffic from a minor to a higher level, and a NAT rule from the higher to the minor.</P><P>With that configuration, where i let all traffic by IP in the outside interface, i have an entry in the syslog:</P><P></P><P>%ASA-6-106015: Deny TCP (no connection) from 10.37.179.202/23 to 79.148.101.140/2210 flags SYN ACK on interface Intranet</P><P></P><P>That is my principal problem. The ASA don't let me pass the traffic in established comunications.</P><P></P></BODY></HTML> Mon, 01 Sep 2008 11:14:53 GMT https://community.cisco.com/t5/network-security/problems-with-stablished-in-asa-5540/m-p/1079707#M913780 acotelcom 2008-09-01T11:14:53Z https://community.cisco.com/t5/network-security/problems-with-stablished-in-asa-5540/m-p/1079708#M913781 <HTML><HEAD></HEAD><BODY><P>I think you are looking at the wrong syslog. This message could also come because the connection timed out on the PIX/ASA and the Intranet host keeps sending data for the same session thinking its still valid.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Wed, 03 Sep 2008 19:25:08 GMT https://community.cisco.com/t5/network-security/problems-with-stablished-in-asa-5540/m-p/1079708#M913781 Farrukh Haroon 2008-09-03T19:25:08Z