Re: inspection question...

alasinc · ‎06-09-2008

Hello,

We have recently migrated from an IPTABLES based (among other things) for NAT and firewalling to an ASA 5510.

While the transition has been smooth there is an issue that has risen.

Some of the network people had in the past through IPTABLES NAT access to anything. In particular they use once in a while BGPPLAY (a java app) to view routes and BGP info. There was no problem when they use IPTABLES but now if they use the ASA as a NAT firewall, the java applet will fail to established a connection.

NAT access for BGPLAY is open as it was before and I did assume that it will behave as before, obviusly it does not.

The first connection is to port 80, but the second is from the next port to 21174.

This is not a related connection but a new one, works thorugh IPTABLES but not through the ASA.

Anyone has seen this behavior?

Thanks,

Miguel.

Farrukh Haroon · ‎06-09-2008

Why don't you allow this connection by using an ACL? Is this new connection from the Client >> BGPPLAY Server or in the opposite direction. In the Client >> BGPPLAY Server direction it should be permitted as all higher >> lower security traffic is permitted by default. You can also use the 'established' command but this is not recommended due to security reasons.

Regards

Farrukh

alasinc · ‎06-09-2008

Found the problem, it was not related to the ASA per say but an ancient access-list on an edge router that was not allowing traffic on the new network we were using.

Miguel.

Farrukh Haroon · ‎06-09-2008

Ahh Ok, Good to know the issue is solved now :)

Regards

Farrukh