Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
0
Helpful
2
Replies

Cisco ASA 5520 is not stateful on GNS3

Go to solution
Dureck.Steven
Level 1
Level 1

‎01-12-2014 04:12 PM - edited ‎03-11-2019 08:28 PM

Hi folks,

I´m learning for my CCNA security and I take some labs in GNS3. At the time I´m learning to configure a ASA firewall and this is where I´m hanging now.

I have configured a Cisco ASA wich version are 8.4(2) and ASDM-version 6.4(9). I configured the typical scenario with ASDM: inside (100),outside (0) and DMZ (50) in GNS3. For traffic coming from inside to outside, NAT is in place (dynamic PAT with the outside IP-address).

Now I´m confused because I only recieve a ping-reply if an access-rule is in place to permit that traffic. But in my mind the ASA should allow the reply by default of stateful packet inspection. If I remove the access-rules, all traffic is blocked.

Can everyone tell me what is wrong in that case?

Labels:
Preview file
98 KB
Preview file
23 KB
Preview file
90 KB
Preview file
81 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-12-2014 04:24 PM

Hi,

With Dynamic PAT (atleast) you will need ICMP Inspection for the firewall to allow the ICMP Echo Replys automatically through the firewall. To my understanding this allows the ASA to handle the ICMP through the Dynamic PAT translation and also only allow the correct Echo Reply back through the firewall without ACLs.

Without ICMP Inspection you will have to allow atleast the ICMP Echo Reply messages back through the external interface.

With regards to TCP/UDP traffic the firewall should automatically allow the traffic from higher "security-level" interface to a lower one and allow the return traffic for that connection.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-12-2014 04:24 PM

Hi,

With Dynamic PAT (atleast) you will need ICMP Inspection for the firewall to allow the ICMP Echo Replys automatically through the firewall. To my understanding this allows the ASA to handle the ICMP through the Dynamic PAT translation and also only allow the correct Echo Reply back through the firewall without ACLs.

Without ICMP Inspection you will have to allow atleast the ICMP Echo Reply messages back through the external interface.

With regards to TCP/UDP traffic the firewall should automatically allow the traffic from higher "security-level" interface to a lower one and allow the return traffic for that connection.

- Jouni

0 Helpful

Go to solution
Dureck.Steven
Level 1
Level 1
In response to Jouni Forss

‎01-12-2014 04:38 PM

Hi JouniForss,

thank you very much, i knew there was a thinking failure. You saved my day.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card