02-08-2016 09:02 AM - edited 03-12-2019 12:15 AM
I have an ASA 5510 running 9.1(6) that changed its behaviour unexpectedly, and I'm trying to understand what's happened. This firewall sits between our DMZ (security level 50) and the internet/outside (security level 0).
A few days ago, I enabled ICMP error inspection:
policy-map global_policy
class inspection_default
inspect icmp error
Around the same time this change was made, the ASA stopped allowing servers in the DMZ access to the internet.
I undid the ICMP Error Inspection, but the problem still existed. The Inspection shouldn't have caused this problem, but this was the only ASA configuration change made within a few days. A packet trace shows that Stage 6 (ACCESS-LIST) now blocks the traffic due to an Implicit rule.
I ended up manually creating ACLs in order for my servers to get onto the internet. For example, to allow my server 192.168.2.37 access, I used:
access-list outside_access_out_1 line 4 extended permit ip object obj-192.168.2.37 any log disable
I have done a line by line comparison of the current running configuration to a saved configuration from early January (before this behaviour) and there is no difference (other than my new ACLs). I issued a reboot on the ASA hoping that this was a cache problem, but this behaviour still persists. I'm at a loss to explain a) what triggered this behaviour change and b) why the ASA is now requiring ACLs, when they've not been required in the 5 years I've had this ASA with this setup.
Can anyone shed some light on this for me?
Thanks,
Greg
02-08-2016 07:14 PM
Any chance a software upgrade was done?
02-10-2016 05:08 AM
Hi Philip,
No, I've been running 9.1(3) since March 2014. A line by line comparison of the current running configuration (after this behavior started) to one from early January (before this behaviour) showed they were identical.
Thanks for your suggestion, I appreciate the reply.
Greg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide