[c-nsp] Cisco ASA return traffic with explicit deny on outside interface
Christopher Werny
cwerny at ernw.de
Fri Oct 10 08:15:53 EDT 2014
Thanks to everyone for taking the time to answer my question!
Cheers,
Christopher
-----Original Message-----
From: Brad McGinn [mailto:bmcginn at thiess.com.au]
Sent: Freitag, 10. Oktober 2014 02:49
To: Christopher Werny; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cisco ASA return traffic with explicit deny on outside interface
Return traffic will be permitted.
Any traffic originating on a network connected to a higher security interface will not need an ACL to ingress. When the traffic egresses to a lower security interface it will automatically be let back in.
Any traffic originating on a network connected to a lower security interface will need an ACL to allow ingress. When the traffic egresses to a higher security interface it will also be let back in.
That's how I remember it anyway.. :-)
Point 3. In the below link seems to back me up.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html
-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christopher Werny
Sent: Friday, 10 October 2014 5:43 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco ASA return traffic with explicit deny on outside interface
Good Evening,
I know that might seem a simple and easy question, but I wasn't able to find an exact answer (but maybe my google-fu has just failed me or my brain just needs some sleep).
I have an ASA running 8.4 in a pretty simple setup with 2 interfaces (inside/outside). I have to 2 ACLs where one is applied inbound on the inside, and one ACL applied inbound on the outside interface. The outside ACL has an explicit deny ip any any statement for logging purposes.
I am wondering, does return traffic (for connections originated on the inside network) get through the ASA with the explicit deny ip any any statement in the outside ACL? I know it works without an ACL applied to the outside interface, but the explicit deny got me thinking. I haven't a device with me to test it unfortunately
Thanks for your time.
Best,
Christopher
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_____________________________________________________________________
IMPORTANT - This email and any attachments may be confidential and privileged.
If received in error, please contact Thiess and delete all copies. You may not
rely on advice and documents received by email unless confirmed by a signed Thiess
letter. This restriction on reliance will not apply to the extent that the above email
communication is between parties to a contract and is authorised under that contract.
Before opening or using attachments, check them for viruses and defects. Thiess'
liability is limited to resupplying any affected attachments. THIESS PRIVACY STATEMENT<http://www.thiess.com.au/privacy>
More information about the cisco-nsp
mailing list