I have an ASA 5510 running 9.1(6) that changed its behaviour unexpectedly, and I'm trying to understand what's happened. This firewall sits between our DMZ (security level 50) and the internet/outside (security level 0).

A few days ago, I enabled ICMP error inspection:

      policy-map global_policy
        class inspection_default
          inspect icmp error

Around the same time this change was made, the ASA stopped allowing servers in the DMZ access to the internet.

I undid the ICMP Error Inspection, but the problem still existed. The Inspection shouldn't have caused this problem, but this was the only ASA configuration change made within a few days. A packet trace shows that Stage 6 (ACCESS-LIST) now blocks the traffic due to an Implicit rule.

I ended up manually creating ACLs in order for my servers to get onto the internet. For example, to allow my server 192.168.2.37 access, I used:

      access-list outside_access_out_1 line 4 extended permit ip object obj-192.168.2.37 any  log disable

I have done a line by line comparison of the current running configuration to a saved configuration from early January (before this behaviour) and there is no difference (other than my new ACLs). I issued a reboot on the ASA hoping that this was a cache problem, but this behaviour still persists. I'm at a loss to explain a) what triggered this behaviour change and b) why the ASA is now requiring ACLs, when they've not been required in the 5 years I've had this ASA with this setup.

Can anyone shed some light on this for me?

Thanks,

Greg