Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1968
Views
0
Helpful
3
Replies

Return traffic not allowed in the DMZ - ASA firewall

BernardoZakur
Level 1
Level 1

‎11-03-2019 08:22 PM

Hello

 

I'm trying to build a topology with a firewall, and after configuring the firewall, it won't allow return traffic to go inside the DMZ. I can send ICMP packets to outside, but the return traffic is blocked when it reaches the firewall. I also can't ping from outside to devices in the DMZ. When I click on the PDU Information icon, it says that the ASA doesn't allow traffic from lower security levels to advance to higher security level areas, but I read that return traffic shouldn't be blocked. Any idea to why this is happening? I used the ASA 5506. Thank you!

Labels:
0 Helpful
3 Replies 3

Deepak Kumar
VIP Alumni
VIP Alumni

‎11-03-2019 09:49 PM

Hi,

There are some golden rules as If you want to transfer traffic from Lower level to higher level then you NAT and ACL. Cisco ASA is not inspecting ICMP in default configuration so you have to inspect ICMP protocol for allow Ping from inside to outside also.

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

BernardoZakur
Level 1
Level 1
In response to Deepak Kumar

‎11-04-2019 02:35 PM

Hey, Deepak, thank you for your reply.

 

I have already issued the inspect ICMP command, but it still won't allow me to get return traffic, or to ping from the outside.

ASA Version 9.6(1)

!

hostname ciscoasa

names

!

interface GigabitEthernet1/1

nameif inside

security-level 0

ip address 200.1.1.2 255.255.255.0

!

interface GigabitEthernet1/2

nameif dmz

security-level 50

ip address 172.168.1.1 255.255.255.0

!

interface GigabitEthernet1/3

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/4

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/5

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/6

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/7

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/8

no nameif

no security-level

no ip address

shutdown

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

object network dmz

subnet 172.168.1.0 255.255.255.0

!

!

!

!

!

!

!

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

!

service-policy global_policy global

!

telnet timeout 5

ssh timeout 5

!

 

This is the current config on the firewall. 

I was actually following some YT tutorials and I believe I did exactly what the tutorials told me to do, and when I get to the inspect ICMP command, although the command is successful, the pinging is not... I'll try to dig a little bit deeper, maybe even try to configure the whole thing again, hopefully it works this time.

0 Helpful

JoeSemos27769
Level 1
Level 1
In response to BernardoZakur

‎11-05-2019 03:57 AM

@BernardoZakur I agree with your answer. Really you have explained as Professor teaches us in college. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents