[c-nsp] Cisco ASA return traffic with explicit deny on outside interface

Randy randy_94108 at yahoo.com
Thu Oct 9 19:40:14 EDT 2014


that is correct as well for icmp and udp since they are connectionless - a hole is still punched through the deny ip any any to allow return traffic.
What is initiated from outside get dropped by deny ip any any on outside.
./Randy

________________________________
From: Prabhu Gurumurthy <kepler62e.lyra at gmail.com>
To: Randy <randy_94108 at yahoo.com> 
Cc: Christopher Werny <cwerny at ernw.de>; "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net> 
Sent: Thursday, October 9, 2014 4:31 PM
Subject: Re: [c-nsp] Cisco ASA return traffic with explicit deny on outside interface



For udp and icmp, they go thru timeouts(2 minutes for udp and 2 seconds from icmp) because there is not state involved, which can be tuned  by timeout conn. If the return packet takes a longer time than configured timeout, they are dropped or send icmp message back to sender. But no ACL is needed for return traffic on ASA

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/t.html#wp1540870




On Thu, Oct 9, 2014 at 4:07 PM, Randy via cisco-nsp <cisco-nsp at puck.nether.net> wrote:

Yes, for return traffic a hole will be punched through to allow - state is maintained - so for a syn initiated from inside as long it is allowed by acl on inside interface; the syn-ack will be allowed.
>
>The deny ip any any on outside will not allow anything initiated from the outside to make it in.
>
>./Randy
>
>
>
>
>
>
>
>----- Original Message -----
>From: Christopher Werny <cwerny at ernw.de>
>To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
>Cc:
>Sent: Thursday, October 9, 2014 12:42 PM
>Subject: [c-nsp] Cisco ASA return traffic with explicit deny on outside interface
>
>Good Evening,
>
>I know that might seem a simple and easy question, but I wasn't able to find an exact answer (but maybe my google-fu has just failed me or my brain just needs some sleep).
>
>I have an ASA running 8.4 in a pretty simple setup with 2 interfaces (inside/outside). I have to 2 ACLs where one is applied inbound on the inside, and one ACL applied inbound on the outside interface. The outside ACL has an explicit deny ip any any statement for logging purposes.
>
>I am wondering, does return traffic (for connections originated on the inside network) get through  the ASA with the explicit deny ip any any statement in the outside ACL?  I know it works without an ACL applied to the outside interface, but the explicit deny got me thinking. I haven't a device with me to test it unfortunately
>
>Thanks for your time.
>
>Best,
>Christopher
>
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list