[c-nsp] Cisco ASA return traffic with explicit deny on outside interface

Brad McGinn bmcginn at thiess.com.au
Thu Oct 9 20:48:37 EDT 2014


Return traffic will be permitted.

Any traffic originating on a network connected to a higher security interface will not need an ACL to ingress.  When the traffic egresses to a lower security interface it will automatically be let back in.

Any traffic originating on a network connected to a lower security interface will need an ACL to allow ingress.  When the traffic egresses to a higher security interface it will also be let back in.

That's how I remember it anyway.. :-)

Point 3. In the below link seems to back me up.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html




-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christopher Werny
Sent: Friday, 10 October 2014 5:43 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco ASA return traffic with explicit deny on outside interface

Good Evening,

I know that might seem a simple and easy question, but I wasn't able to find an exact answer (but maybe my google-fu has just failed me or my brain just needs some sleep).

I have an ASA running 8.4 in a pretty simple setup with 2 interfaces (inside/outside). I have to 2 ACLs where one is applied inbound on the inside, and one ACL applied inbound on the outside interface. The outside ACL has an explicit deny ip any any statement for logging purposes.

I am wondering, does return traffic (for connections originated on the inside network) get through  the ASA with the explicit deny ip any any statement in the outside ACL?  I know it works without an ACL applied to the outside interface, but the explicit deny got me thinking. I haven't a device with me to test it unfortunately

Thanks for your time.

Best,
Christopher



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_____________________________________________________________________

IMPORTANT - This email and any attachments may be confidential and privileged.

If received in error, please contact Thiess and delete all copies.  You may not

rely on advice and documents received by email unless confirmed by a signed Thiess

letter.  This restriction on reliance will not apply to the extent that the above email

communication is between parties to a contract and is authorised under that contract.

Before opening or using attachments, check them for viruses and defects.  Thiess'

liability is limited to resupplying any affected attachments. THIESS PRIVACY STATEMENT<http://www.thiess.com.au/privacy>




More information about the cisco-nsp mailing list