access-list question

Answered Question
Oct 6th, 2008
User Badges:

I'm working on building an access list for the inside interface of my ASA and while looking at a few packet captures of traffic crossing that interface I'm starting to question my understanding of acls. I'm pretty sure in previous configurations of other firewalls, ASAs included, I did not have to account for return traffic initiated by hosts on the Internet. For example, say there is a web server sitting on the inside interface, and the access list on the outside interface allowed for traffic from any host to www of the host on the inside. The host's source port would be some random high order port, in which case the www server on the inside would be responding on that high order port. I don't need to allow for return traffic to those high order ports if I put an access list on the inside interface in the inbound direction do I? Won't the outside interface acl and stateful packet filtering account for that return traffic crossing the inside interface without getting blocked?


thank you,


Bill

Correct Answer by Jon Marshall about 8 years 5 months ago

Bill


You are correct in your assumptions. The access-list on the inside interface should not have an effect on stateful return traffic. I say stateful because some traffic you need to allow both ways eg. GRE traffic but normal TCP traffic such as for a webserver is stateful.


This would only be an issue for you if these were normal access-lists on router interfaces - then it would matter.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 10/06/2008 - 10:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bill


You are correct in your assumptions. The access-list on the inside interface should not have an effect on stateful return traffic. I say stateful because some traffic you need to allow both ways eg. GRE traffic but normal TCP traffic such as for a webserver is stateful.


This would only be an issue for you if these were normal access-lists on router interfaces - then it would matter.


Jon

Actions

This Discussion