Cisco 515E Pix 7.0(1) denying reply traffic

[Pixxer26]

Hi Everyone,

I have have a problem with traffic that is allowed out but, gets denied by the firewall on the reply.
-For Example-
I have a rule that allows icmp out from a device in the DMZ. I see in the log the request go out and a tcpdump on the device that I am pinging shows it come in and the reply. Viewing the log on the cisco, I see it build a connection from the device that I had pinged and it just deny's it. Too me it seems like stateful inspection isn't taking place. So as a test, i added a inbound rule to allow any traffic from the device that I am ping and well I get the response. Kind of werid, cause it just started happening. Nothing changed. Other devices in the dmz are acting like they should. Anything that I should check?

 

[BuckWeet]

stateful inspection only works on stateful protocols..

icmp and udp is not a stateful protocol. so you must open up the ports for return traffic.


BuckWeet

 

[Pixxer26]

Thats right they are.. Man. Something I guess had changed as well. The device was doing domain udp lookups to a dns server that was also in the DMZ got removed. So the lookups we going out the external interface and as you have said udp and icmp are not stateful protocols The look up's were getting dropped.