Hi,

I've noticed something when having some traffic inspected.

Imagine you have a zone A and a zone B and a policy allowing all connection from A to B:

class-map type inspect match-any cm_all

match protocol icmp

match protocol tcp

match protocol udp

policy-map type inspect pm_all

class cm_all

  inspect

zone-pair security zp_A_to_B source zone_A destination zone_B

service-policy type inspect pm_all

Now, it turns out that for everything to work as intended, you also need to all a reverse policy B to A that allows icmp errors to pass through.

ip access-list extended acl_icmp_err

permit icmp any any unreachable

permit icmp any any ttl-exceeded

ipv6 access-list acl_icmp6_err

permit icmp any any unreachable

permit icmp any any hop-limit

permit icmp any any packet-too-big

class-map type inspect match-all cm_icmp_err

match protocol icmp

match access-group name acl_icmp_err

class-map type inspect match-all cm_icmp6_err

match protocol icmp

match access-group name acl_icmp6_err

policy-map type inspect pm_icmp_err

  class cm_icmp_err

    pass

  class cm_icmp6_err

    pass

zone-pair security zp_A_to_B source zone_A destination zone_B

service-policy type inspect pm_icmp_err

Without this, things like PMTU, traceroute, ... won't work.

I would have expected that icmp errors "related" to a currently inspected sessions would be accepted in the return traffic, but that's apparently not the case.

Can anyone comment on this ?

Cheers,

    Sylvain