[c-nsp] Cisco ASA return traffic with explicit deny on outside interface
Prabhu Gurumurthy
kepler62e.lyra at gmail.com
Thu Oct 9 19:31:20 EDT 2014
For udp and icmp, they go thru timeouts(2 minutes for udp and 2 seconds
from icmp) because there is not state involved, which can be tuned by
timeout conn. If the return packet takes a longer time than configured
timeout, they are dropped or send icmp message back to sender. But no ACL
is needed for return traffic on ASA
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/t.html#wp1540870
On Thu, Oct 9, 2014 at 4:07 PM, Randy via cisco-nsp <
cisco-nsp at puck.nether.net> wrote:
> Yes, for return traffic a hole will be punched through to allow - state is
> maintained - so for a syn initiated from inside as long it is allowed by
> acl on inside interface; the syn-ack will be allowed.
>
> The deny ip any any on outside will not allow anything initiated from the
> outside to make it in.
>
> ./Randy
>
>
>
> ----- Original Message -----
> From: Christopher Werny <cwerny at ernw.de>
> To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Cc:
> Sent: Thursday, October 9, 2014 12:42 PM
> Subject: [c-nsp] Cisco ASA return traffic with explicit deny on outside
> interface
>
> Good Evening,
>
> I know that might seem a simple and easy question, but I wasn't able to
> find an exact answer (but maybe my google-fu has just failed me or my brain
> just needs some sleep).
>
> I have an ASA running 8.4 in a pretty simple setup with 2 interfaces
> (inside/outside). I have to 2 ACLs where one is applied inbound on the
> inside, and one ACL applied inbound on the outside interface. The outside
> ACL has an explicit deny ip any any statement for logging purposes.
>
> I am wondering, does return traffic (for connections originated on the
> inside network) get through the ASA with the explicit deny ip any any
> statement in the outside ACL? I know it works without an ACL applied to
> the outside interface, but the explicit deny got me thinking. I haven't a
> device with me to test it unfortunately
>
> Thanks for your time.
>
> Best,
> Christopher
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list