Notable Replies

  1. telnet is working fine and I actually found 2 ways to allow ping in ASA
    first one is ;

    class-map global_policy
    class-map icmp-class
     match default-inspection-traffic
    class-map icmp
     match any
    class-map inspection_default
    policy-map icmp_policy
     class icmp
      inspect icmp 
    service-policy icmp_policy global

    and the second one is creating access list like this ;

    access-list ICMP extended permit icmp any any
    access-group ICMP interface global

    both do the same job .

  2. Hi Donald,

    In this example, I only used the routers so that I would have some devices to ping with/to. I also could have used computers but routers are easier since you can access them through the CLI and you don’t have to worry about firewalls blocking ICMP traffic.

    Sometimes, it can be useful to have a router in front of the ASA. As a firewall, the ASA does a great job at packet filtering / VPNs but it’s a poor router. If you want to use specific features (like policy based routing) then using a router in front of the ASA works very well. If you don’t need any router specific features, you might as well connect the ASA directly to your ISP.


  3. Hi Rene,

    To allow the DMZ traffic would you need to put an ACL on the inside interface allowing DMZ traffic or on the Inside interface allowing DMZ source to come in? Or do you need to put ACLs on both interfaces?

    If DMZ is say range and Inside is range. Would you put ACL in DMZ interface allowing access to and then put the same ACL on inside as well?

  4. Hi,quick question regarding the service policy placement on the ASA, not including global because that’s pretty self explanatory. I created just a simple topology where the ASA was in the middle and has 2 routers on either side, the outside interface had a security level of 0 and inside 100, the outside interface is also blocking all traffic coming in. I implemented NAT on the ASA as well to change the inside network IP’s to the outside interface.

    My policy map inspects ICMP and i applied it to a service policy that was placed on the inside interface, i tested it and everything worked as it should. NAT worked and allowed the traffic back into the inside network, the outside router could not ping the outside ASA interface IP and any inside network addresses. So everything is fine there. The same was done for the outside interface and the same behaviour was present.

    My main question is then, how does the traffic get back through when the service policy is placed on the inside interface, when the class map matches ICMP then the inspection is applied on the policy map and the service policy is assigned to the inside interface, so the source IP would be the private IP of the host on the inside network, it then goes through NAT where NAT changes the source IP to the outside IP, when the return traffic comes back then it comes back with a destination address of the ASA outside IP but the dynamic ACL return traffic is for the destination address of the private IP, so how does it get through when there is no ACL for the traffic coming into the outside interface?

    This is different from assigning the service policy on the outside where the dynamic ACL is the outside IP as the destination which can then be allowed and then the NAT binding table can direct traffic along it’s merry way.

    Does anyone know the answer to this?

  5. Hi, Thanks From Post,
    i have Done Everything and Worked find, unfortunately my firewall Dose not Allow DNS resolution from outside interface to in inside
    should i apply another ACL or inspect DNS Traffic from outside to inside and VS ?

    ASA3/SRV-A(config)# packet-tracer input TO-OUT tcp 53  53
    Phase: 1
    Result: ALLOW
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Subtype: input
    Result: ALLOW
    Additional Information:
    in inside
    input-interface: TO-OUT
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (sp-security-failed) Slowpath security checks failed
    **ASA3/SRV-A(config)# show run**
    : Saved
    : Serial Number: 123456789AB
    : Hardware:   ASA5520, 512 MB RAM, CPU Pentium II 1000 MHz
    ASA Version 9.1(5)16 <context>
    hostname SRV-A
    domain-name mod.gov.af
    enable password 8Ry2YjIyt7RRXU24 encrypted
    interface Ethernet0
     nameif inside
     security-level 100
     ip address
     hold-time eigrp 100 60
    interface Ethernet2
     nameif TO-OUT
     security-level 0
     ip address
     hold-time eigrp 100 60
    dns server-group DefaultDNS
     domain-name mod.gov.af
    access-list icmp extended permit icmp any any
    pager lines 24
    mtu inside 1500
    mtu TO-OUT 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    access-group icmp in interface TO-OUT
    router eigrp 100
     eigrp router-id
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    user-identity default-domain LOCAL
    no snmp-server location
    no snmp-server contact
    crypto ipsec security-association pmtu-aging infinite
    telnet timeout 5
    ssh stricthostkeycheck
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    no threat-detection statistics tcp-intercept
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
      message-length maximum client auto
      message-length maximum 512
      message-length maximum server auto
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect icmp
    service-policy global_policy global
    : end

Continue the discussion forum.networklessons.com

25 more replies!