Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
383
Views
0
Helpful
4
Replies

One-way connections

gabriel.gearip
Level 1
Level 1

‎10-30-2008 04:25 AM - edited ‎03-11-2019 07:05 AM

Hi,

Is it possible with the ASA5500 to allow only connections initiated only from one side (e.g. inside)? No NAT involved!

Thanks.

Gabi

Labels:
0 Helpful
4 Replies 4

husycisco
Level 7
Level 7

‎10-30-2008 06:05 AM

Hello Gabi,

Sure, this is what firewalls are built for primarily. By default, traffic from an interface with a higher security level (inside with 100) is permitted to interface with lower security level (outside with 0). Only return traffic is allowed.

Regards

0 Helpful

gabriel.gearip
Level 1
Level 1
In response to husycisco

‎10-30-2008 07:34 AM

Sorry for my ignorance but I'm trying to understand this :)

Of course, you're right. Still, I'm having trouble returning the traffic.

I'm pinging from a machine behind inside interface (100) to a maching behind outside (0). I'm sniffing the traffic on the outside and I see the ping request being received and the ping reply being sent. Still, the ASA is denying the ping reply to come back:

%ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst

interface_name: IP_address (type dec, code dec)

Thanks.

Gabi

0 Helpful

gabriel.gearip
Level 1
Level 1
In response to gabriel.gearip

‎10-30-2008 07:37 AM

...and here's my answer, I didn't see it becouse of my nose :) :

The security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.

Gabi

0 Helpful

husycisco
Level 7
Level 7
In response to gabriel.gearip

‎10-30-2008 07:42 AM

Gabi,

Its not your fault actually. "By default, all ICMP packets are denied access unless specifically permitted. "

A better way of saying this is "By default, ASA does not inspect ICMP traffic to permit the return traffic"

So add the following

policy-map global_policy

class inspection_default

inspect icmp

You can not benefit from the Stateful firewall so it lets the return traffic if you dont tell it to inspect the state of specific traffic or protocol.

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card