Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
5
Replies

FWSM Stateful Inspection

mironduplessis
Level 1
Level 1

‎08-26-2005 03:00 AM - edited ‎03-09-2019 12:15 PM

Hi,

I am running a 6500 with FWSM in a test lab.

The FWSM is configured with 1 Admin Context and two Other Contexts. The FWSM is configured for transparent mode.

A client configured in on the inside side can initiate a connection through the firewall however the return SYN-ACK from the destination is being denied by the firewall.

Any obvious reasons why this might be occuring?

Miron

Labels:
0 Helpful
5 Replies 5

ciscocsoc
Level 4
Level 4

‎08-26-2005 03:21 AM

Hi,

Could you post the relevant context configuration and any debug messages?

Kind Regards

Cathy

0 Helpful

mironduplessis
Level 1
Level 1
In response to ciscocsoc

‎08-26-2005 04:07 AM

Cathy,

I was doing some more troubleshooting and found that the access-list on the inside interface was not being enforced or even seen. When I attempt to telnet to a router upstream from the firewall the request reaches the Router ( However the access-list on the inside is configured to deny telnet). The return SYN-ACK from the Router is denied by the firewall with message stating that there is no connection id for the session which makes sense if

the inside traffic is bypassing the firewall asa.

Miron

I will send you the configs shortly

0 Helpful

mironduplessis
Level 1
Level 1
In response to mironduplessis

‎08-26-2005 07:39 AM

Cathy,

This is a the config as requested.

Miron

Preview file
4 KB
0 Helpful

ciscocsoc
Level 4
Level 4
In response to mironduplessis

‎08-26-2005 08:26 AM

Miron,

Nothing obviously wrong after the first read-through.

You might want to add the statements:

fixup protocol icmp

icmp permit any inside

to enable PING to work.

Add an explicit deny statement to the end of inside_access_in, so that when you do a sh access-list you'll be able to see if that is biting for some reason.

I'm confused by the first line of inside_access_in, which seems to be blocking tcp from from port 23 to any host. Since the source port is ephemeral you might want to block on the destination port.

Kind Regards

Cathy

0 Helpful

ciscocsoc
Level 4
Level 4
In response to ciscocsoc

‎08-29-2005 11:49 PM

Miron,

It occurs to me that the problem is not with the FWSm but with the routing around it. Could you check the routing from your workstation to the end-device youu were telnetting to?

The symptoms are consistent with the traffic from the workstation bypassing the FWSM, but the return traffic trying to pass through it (and then being dropped by the stateful firewall).

Kind Regards

Cathy

0 Helpful
Customers Also Viewed These Support Documents