10-30-2008 04:25 AM - edited 03-11-2019 07:05 AM
Hi,
Is it possible with the ASA5500 to allow only connections initiated only from one side (e.g. inside)? No NAT involved!
Thanks.
Gabi
10-30-2008 06:05 AM
Hello Gabi,
Sure, this is what firewalls are built for primarily. By default, traffic from an interface with a higher security level (inside with 100) is permitted to interface with lower security level (outside with 0). Only return traffic is allowed.
Regards
10-30-2008 07:34 AM
Sorry for my ignorance but I'm trying to understand this :)
Of course, you're right. Still, I'm having trouble returning the traffic.
I'm pinging from a machine behind inside interface (100) to a maching behind outside (0). I'm sniffing the traffic on the outside and I see the ping request being received and the ping reply being sent. Still, the ASA is denying the ping reply to come back:
%ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst
interface_name: IP_address (type dec, code dec)
Thanks.
Gabi
10-30-2008 07:37 AM
...and here's my answer, I didn't see it becouse of my nose :) :
The security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.
Gabi
10-30-2008 07:42 AM
Gabi,
Its not your fault actually. "By default, all ICMP packets are denied access unless specifically permitted. "
A better way of saying this is "By default, ASA does not inspect ICMP traffic to permit the return traffic"
So add the following
policy-map global_policy
class inspection_default
inspect icmp
You can not benefit from the Stateful firewall so it lets the return traffic if you dont tell it to inspect the state of specific traffic or protocol.
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: