Hello all,
Just received new ASA 5510 and am doing initial testing and config in my lab. I have set up three interfaces
e0/0 as inside security=100 e0/1 as dmz security=50 e0/2 as outside security=0
I used the following statement to set up dynamic nat
nat (inside) 1 0.0.0.0 0.0.0.0 global (outside) 1 interface
I have two simple access lists configured for testing.
access-list inside_in extended permit icmp any any echo access-list inside_in deny ip any any
access-list outside_in permit icmp any any echo-reply
So here's what I'm seeing:
When I ping an address on the outside, it works fine. The address is properly NAT'd and I get the reply. If I try to telnet out to a device, it blocks it as expected as per the access-list.
Now the strange part. My 6509 in my lab is running the the config from my production switch and is configured to hit a NTP server on our internal network. This VLAN is not up in the lab. So it is sending NTP UDP packets looking for the server. Since that NTP server is not there and the VLAN is not up, the 6509 is sending these requests out the default route which sends them to the ASA 5510.
I am seeing these UDP packets coming out of the outside interface of the ASA. They also are not being NAT'd Which is quite disturbing.
We are moving to this from another firewall and this is my first go around with a Cisco firewall, so I'm sure I'm just missing something.
Thanks for your help,
Will