11-03-2019 08:22 PM
Hello
I'm trying to build a topology with a firewall, and after configuring the firewall, it won't allow return traffic to go inside the DMZ. I can send ICMP packets to outside, but the return traffic is blocked when it reaches the firewall. I also can't ping from outside to devices in the DMZ. When I click on the PDU Information icon, it says that the ASA doesn't allow traffic from lower security levels to advance to higher security level areas, but I read that return traffic shouldn't be blocked. Any idea to why this is happening? I used the ASA 5506. Thank you!
11-03-2019 09:49 PM
Hi,
There are some golden rules as If you want to transfer traffic from Lower level to higher level then you NAT and ACL. Cisco ASA is not inspecting ICMP in default configuration so you have to inspect ICMP protocol for allow Ping from inside to outside also.
11-04-2019 02:35 PM
Hey, Deepak, thank you for your reply.
I have already issued the inspect ICMP command, but it still won't allow me to get return traffic, or to ping from the outside.
ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif inside
security-level 0
ip address 200.1.1.2 255.255.255.0
!
interface GigabitEthernet1/2
nameif dmz
security-level 50
ip address 172.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network dmz
subnet 172.168.1.0 255.255.255.0
!
!
!
!
!
!
!
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
This is the current config on the firewall.
I was actually following some YT tutorials and I believe I did exactly what the tutorials told me to do, and when I get to the inspect ICMP command, although the command is successful, the pinging is not... I'll try to dig a little bit deeper, maybe even try to configure the whole thing again, hopefully it works this time.
11-05-2019 03:57 AM
@BernardoZakur I agree with your answer. Really you have explained as Professor teaches us in college.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide