08-26-2005 03:00 AM - edited 03-09-2019 12:15 PM
Hi,
I am running a 6500 with FWSM in a test lab.
The FWSM is configured with 1 Admin Context and two Other Contexts. The FWSM is configured for transparent mode.
A client configured in on the inside side can initiate a connection through the firewall however the return SYN-ACK from the destination is being denied by the firewall.
Any obvious reasons why this might be occuring?
Miron
08-26-2005 03:21 AM
Hi,
Could you post the relevant context configuration and any debug messages?
Kind Regards
Cathy
08-26-2005 04:07 AM
Cathy,
I was doing some more troubleshooting and found that the access-list on the inside interface was not being enforced or even seen. When I attempt to telnet to a router upstream from the firewall the request reaches the Router ( However the access-list on the inside is configured to deny telnet). The return SYN-ACK from the Router is denied by the firewall with message stating that there is no connection id for the session which makes sense if
the inside traffic is bypassing the firewall asa.
Miron
I will send you the configs shortly
08-26-2005 07:39 AM
08-26-2005 08:26 AM
Miron,
Nothing obviously wrong after the first read-through.
You might want to add the statements:
fixup protocol icmp
icmp permit any inside
to enable PING to work.
Add an explicit deny statement to the end of inside_access_in, so that when you do a sh access-list you'll be able to see if that is biting for some reason.
I'm confused by the first line of inside_access_in, which seems to be blocking tcp from from port 23 to any host. Since the source port is ephemeral you might want to block on the destination port.
Kind Regards
Cathy
08-29-2005 11:49 PM
Miron,
It occurs to me that the problem is not with the FWSm but with the routing around it. Could you check the routing from your workstation to the end-device youu were telnetting to?
The symptoms are consistent with the traffic from the workstation bypassing the FWSM, but the return traffic trying to pass through it (and then being dropped by the stateful firewall).
Kind Regards
Cathy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide