[c-nsp] Cisco ASA return traffic with explicit deny on outside interface

Pete Lumbis alumbis at gmail.com
Thu Oct 9 15:56:31 EDT 2014


Existing connections skip the ACL check.

Take a look at Jay Johnston's Cisco Live presentation from this year
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=78697&backBtn=true

On Thu, Oct 9, 2014 at 3:42 PM, Christopher Werny <cwerny at ernw.de> wrote:

> Good Evening,
>
> I know that might seem a simple and easy question, but I wasn't able to
> find an exact answer (but maybe my google-fu has just failed me or my brain
> just needs some sleep).
>
> I have an ASA running 8.4 in a pretty simple setup with 2 interfaces
> (inside/outside). I have to 2 ACLs where one is applied inbound on the
> inside, and one ACL applied inbound on the outside interface. The outside
> ACL has an explicit deny ip any any statement for logging purposes.
>
> I am wondering, does return traffic (for connections originated on the
> inside network) get through  the ASA with the explicit deny ip any any
> statement in the outside ACL?  I know it works without an ACL applied to
> the outside interface, but the explicit deny got me thinking. I haven't a
> device with me to test it unfortunately
>
> Thanks for your time.
>
> Best,
> Christopher
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list