[c-nsp] Cisco ASA return traffic with explicit deny on outside interface

Christopher Werny cwerny at ernw.de
Thu Oct 9 15:42:56 EDT 2014


Good Evening,

I know that might seem a simple and easy question, but I wasn't able to find an exact answer (but maybe my google-fu has just failed me or my brain just needs some sleep).

I have an ASA running 8.4 in a pretty simple setup with 2 interfaces (inside/outside). I have to 2 ACLs where one is applied inbound on the inside, and one ACL applied inbound on the outside interface. The outside ACL has an explicit deny ip any any statement for logging purposes.

I am wondering, does return traffic (for connections originated on the inside network) get through  the ASA with the explicit deny ip any any statement in the outside ACL?  I know it works without an ACL applied to the outside interface, but the explicit deny got me thinking. I haven't a device with me to test it unfortunately

Thanks for your time.

Best,
Christopher





More information about the cisco-nsp mailing list