[c-nsp] Cisco ASA return traffic with explicit deny on outside interface
Peter Rathlev
peter at rathlev.dk
Thu Oct 9 16:15:50 EDT 2014
On Thu, 2014-10-09 at 19:42 +0000, Christopher Werny wrote:
> I am wondering, does return traffic (for connections originated on the
> inside network) get through the ASA with the explicit deny ip any any
> statement in the outside ACL? I know it works without an ACL applied
> to the outside interface, but the explicit deny got me thinking. I
> haven't a device with me to test it unfortunately
It's allowed. Generally speaking, only packets that initiate new
connections are subjected to the access-list rules. All applicable
access-lists (e.g. both inbound on inside and outbound on outside for a
packet moving from inside to outside) must allow the connection, but
when it has been allowed then access-lists are not considered for
subsequent related packets.
If you're familiar with iptables then you can compare this to having an
implicit "-m state --state ESTABLISHED,RELATED -j ACCEPT" rule before
anything else.
--
Peter
More information about the cisco-nsp
mailing list