12-17-2012 12:10 AM - edited 03-11-2019 05:37 PM
Hi,
I am facing a problem with the ASA.
I have one of my internal hosts hide NATed to go directly to the internet. I have a policy and NAT created on the inside interface and I can see that NAT is happening in the Xlate table. Also, in the logs the traffic is allowed through. But, the access form the host is just not working.
However, as part of troubleshooting I created an accesslist on the outside interface to allow the return traffic specifically. Then it started working. It seems strange that the return traffic should ideally work fine.
I would really appreciate if anyone could help me with this.
Regards,
Faiz
12-17-2012 12:53 AM
Hi,
Can you share the configurations related to this case?
I would think if the traffic coming from the remote end is part of the already formed connection it should get through automatically. On the other hand if its a totally new formed connection by the remote host then it will need the ACL statement.
Though there is exceptions like FTP where the remote end might initiate the data connection to random port and there the "inspect ftp" (to my understanding) is keeping track of the connections and allows the remote hosts connections.
Might be also good to get some logs of the failed/succesfull attempt and copy/paste them here.
- Jouni
12-17-2012 12:28 PM
Just an assumption: You only test it with ICMP ping instead of "real" traffic and you don't have the ICMP-inspection active?
Sent from Cisco Technical Support iPad App
12-23-2012 06:26 AM
Hi All,
Thank you for the suggestions and sorry for the delayed response.
It was pretty silly. Enabled ICMP inspection and it worked.
Thanx again.
Cheers
Faiz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide