ASA not allowing return traffic without ACL

ahamadfaiz · ‎12-17-2012

Hi,

I am facing a problem with the ASA.

I have one of my internal hosts hide NATed to go directly to the internet. I have a policy and NAT created on the inside interface and I can see that NAT is happening in the Xlate table. Also, in the logs the traffic is allowed through. But, the access form the host is just not working.

However, as part of troubleshooting I created an accesslist on the outside interface to allow the return traffic specifically. Then it started working. It seems strange that the return traffic should ideally work fine.

I would really appreciate if anyone could help me with this.

Regards,

Faiz

Jouni Forss · ‎12-17-2012

Hi,

Can you share the configurations related to this case?

I would think if the traffic coming from the remote end is part of the already formed connection it should get through automatically. On the other hand if its a totally new formed connection by the remote host then it will need the ACL statement.

Though there is exceptions like FTP where the remote end might initiate the data connection to random port and there the "inspect ftp" (to my understanding) is keeping track of the connections and allows the remote hosts connections.

Might be also good to get some logs of the failed/succesfull attempt and copy/paste them here.

- Jouni

Karsten Iwen · ‎12-17-2012

Just an assumption: You only test it with ICMP ping instead of "real" traffic and you don't have the ICMP-inspection active?

Sent from Cisco Technical Support iPad App

ahamadfaiz · ‎12-23-2012

Hi All,

Thank you for the suggestions and sorry for the delayed response.

It was pretty silly. Enabled ICMP inspection and it worked.

Thanx again.

Cheers

Faiz