I guess so. The only difference from lower security to higher security level is that we need an ACL that permits the traffc inbound. The inspection happens for traffic coming from outside to inside and hence it should match the existing session
Telnet connection from outside to inside.The connection has flags UIOB and B means the initial sync bit is from outside. asa1# sh conn 3 in use, 4 most used TCP outside 10.20.30.42:24760 inside 10.20.30.41:23, idle 0:00:02, bytes 146, fl ags UIOB GRE outside 10.20.30.42:0 inside 10.20.30.41:0, idle 0:00:28, bytes 1190, flags E GRE outside 10.20.30.42:0 inside 10.20.30.41:0, idle 0:00:23, bytes 658, flags E asa1# sh conn Hence the telnet reply packet should match the session. With inspect icmp, when ASA receives a echo-reply it looks if there is echo session existing. With regards Kings On Wed, Sep 8, 2010 at 5:21 PM, Tolulope Ogunsina <[email protected]>wrote: > Wow! > Does that mean inspection prevents traffic that isn't originated from > inside even if its explicitly allowed in the access-list? > Oh well, If it does, then that's new knowledge for me :) > I need more people to comfirm my ignorance here :) - I don't have access to > a lab/emulator at the moment. > > Best Regards, Tolulope Ogunsina, CCIE x2 (R&S|Sec) > ------------------------------ > *From: * Kingsley Charles <[email protected]> > *Date: *Wed, 8 Sep 2010 17:21:06 +0530 > *To: *<[email protected]> > *Cc: *<[email protected]>; Johan Bornman< > [email protected]>; <[email protected]> > *Subject: *Re: [OSL | CCIE_Security] Multicast traffic across > Transparentfirewall > > Hi Tolulope > > Yes I do have "permit icmp any any" to allow traffic from outside to inside > as R2 is on the outside and R1 is on the inside.I enabled logging console > and got the following message with "inspect icmp" enabled. Since there is > not matching session for the reply packet it is being dropped. > > %ASA-4-313004: Denied ICMP type=0, from laddr 10.20.30.41 on interface > inside to > 10.20.30.42: no matching session > > If I remove "inspect icmp", it works fine. > > With regards > Kings > > On Wed, Sep 8, 2010 at 4:52 PM, Tolulope Ogunsina <[email protected]>wrote: > >> Hi Kings, >> Thought you already had a permit ip any any in your acl? Why fo you need >> to turn off the inspect? >> I'm a bit confused here. >> Best Regards, Tolulope Ogunsina, CCIE x2 (R&S|Sec) >> >> -----Original Message----- >> From: Kingsley Charles <[email protected]> >> Sender: [email protected] >> Date: Wed, 8 Sep 2010 16:50:14 >> To: Johan Bornman<[email protected]> >> Cc: <[email protected]> >> Subject: Re: [OSL | CCIE_Security] Multicast traffic across Transparent >> firewall >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
