Re: ASA 5510 setup, inable to get rules to work - Page 2

vincentyonemitsu · ‎10-25-2006

Ok, so the setup is a simple internal, DMZ and External.

Now I have setup a dynamic Nat rul for both the DMZ and for the Internal networks.

If I am on a client and I do a ping www.google.com

I get a dns resolution but the pings do not go through, also if I try and browse to google's website via IE or whatever.

How do I setup a rule using the asdm5.2 to allow all outbound traffic to be allowed? I am not concerned with filtering or blocking any outbound traffic?

vincentyonemitsu · ‎10-25-2006

Is it possible to remove the implicit rules?

Ok, I am starting to get my head around how the rule sets work,(Very different from the other fireweall products I have used,watchguard and checkpoint)

Now I made two rules in the External Incomming rules set

1 - Any - xxx.xxx.xxx.xxx ICMP Any permit

and

2 - Any - Internal ICMP Any Permit

where xxx.xxx.xxx.xxx is an IP address of a machine on the internal network

rule numebr1 works and rule number 2 doesn't why is that?

vincentyonemitsu · ‎10-25-2006

This is very confusing becasue if I change the internal to an any it also works, it seems that you can't specify an interface to have traffic allowed to, you can a destination IP address, Ip Address Range, Any but not an interface.

vincentyonemitsu · ‎10-25-2006

ahh my mistake, xxx.xxx.xxx.xxx was not an ip address of a machine on the internal interface it was the ip address of the external interface, that makes more sense. Just ignore me lack of coffee is not helping me learn. :)

Thanks for all your help I think I have it figured out now.

spottedowl · ‎10-30-2006

Add "inspect icmp" to your config and ICMP will be inspected and allowed via implicit rules.