Hi,
I've noticed something when having some traffic inspected.
Imagine you have a zone A and a zone B and a policy allowing all connection from A to B:
class-map type inspect match-any cm_all
match protocol icmp
match protocol tcp
match protocol udp
policy-map type inspect pm_all
class cm_all
inspect
zone-pair security zp_A_to_B source zone_A destination zone_B
service-policy type inspect pm_all
Now, it turns out that for everything to work as intended, you also need to all a reverse policy B to A that allows icmp errors to pass through.
ip access-list extended acl_icmp_err
permit icmp any any unreachable
permit icmp any any ttl-exceeded
ipv6 access-list acl_icmp6_err
permit icmp any any unreachable
permit icmp any any hop-limit
permit icmp any any packet-too-big
class-map type inspect match-all cm_icmp_err
match protocol icmp
match access-group name acl_icmp_err
class-map type inspect match-all cm_icmp6_err
match protocol icmp
match access-group name acl_icmp6_err
policy-map type inspect pm_icmp_err
class cm_icmp_err
pass
class cm_icmp6_err
pass
zone-pair security zp_A_to_B source zone_A destination zone_B
service-policy type inspect pm_icmp_err
Without this, things like PMTU, traceroute, ... won't work.
I would have expected that icmp errors "related" to a currently inspected sessions would be accepted in the return traffic, but that's apparently not the case.
Can anyone comment on this ?
Cheers,
Sylvain