asa 7.0.2 and access-list element removing not working

r.spiandorello · ‎09-02-2005

Hy,asa 5510 with 7.0.2 version and icmp echo traffic from dmz host to an outside host and echo-reply from the outside host to dmz host.

If I remove the specific ace of the icmp, the traffic still goes-on even if it remains only the ace "deny ip any any" on the 2 access-lists.

With show conn I can see the 2 icmp sessions.

Why ?

nkhawaja · ‎09-02-2005

i think the reason is due to the fact that icmp fixup is enabled, allowing echo replies to come back

r.spiandorello · ‎09-03-2005

Hy, thank you but it runs even if I remove the access-list element that allows the echo.

Could it be related to the new icmp timeout parameter ?

After I have removed the access-list element, if I stop the pc to ping and then I start it again, the new ping is denied.

It seems like the "icmp session" within the timeout is allowed.

Greatings

Renato

nkhawaja · ‎09-03-2005

so for the existing ICMP sessions, they are letting through, but the new sessions will not be.

if you remove the ACL, then do a clear xlat, it will brake your contiuous icmp as well

r.spiandorello · ‎09-04-2005

It's true, now how to remove timeout icmp 0:00:02 ?

"no timeout icmp" and "timeout 0:00:00" does not work.

Thank you in advance