Wow! Does that mean inspection prevents traffic that isn't originated from inside even if its explicitly allowed in the access-list? Oh well, If it does, then that's new knowledge for me :) I need more people to comfirm my ignorance here :) - I don't have access to a lab/emulator at the moment. Best Regards, Tolulope Ogunsina, CCIE x2 (R&S|Sec)
-----Original Message----- From: Kingsley Charles <[email protected]> Date: Wed, 8 Sep 2010 17:21:06 To: <[email protected]> Cc: <[email protected]>; Johan Bornman<[email protected]>; <[email protected]> Subject: Re: [OSL | CCIE_Security] Multicast traffic across Transparentfirewall Hi Tolulope Yes I do have "permit icmp any any" to allow traffic from outside to inside as R2 is on the outside and R1 is on the inside.I enabled logging console and got the following message with "inspect icmp" enabled. Since there is not matching session for the reply packet it is being dropped. %ASA-4-313004: Denied ICMP type=0, from laddr 10.20.30.41 on interface inside to 10.20.30.42: no matching session If I remove "inspect icmp", it works fine. With regards Kings On Wed, Sep 8, 2010 at 4:52 PM, Tolulope Ogunsina <[email protected]>wrote: > Hi Kings, > Thought you already had a permit ip any any in your acl? Why fo you need to > turn off the inspect? > I'm a bit confused here. > Best Regards, Tolulope Ogunsina, CCIE x2 (R&S|Sec) > > -----Original Message----- > From: Kingsley Charles <[email protected]> > Sender: [email protected] > Date: Wed, 8 Sep 2010 16:50:14 > To: Johan Bornman<[email protected]> > Cc: <[email protected]> > Subject: Re: [OSL | CCIE_Security] Multicast traffic across Transparent > firewall > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
