- Gold, 750 points or more
I hit an issue recently which I sort of understand but would like some clarification as to the behaviour.
I have an ASA that has just two interfaces - inside security-100 & outside security-0 (the reality is slightly different but this is easier to explain). The ASA needs to sync with an NTP server available on the outside interface, it also needs to resolve names using DNS to a couple of servers again reachable via the outside interface. Finally it needs to reach a webserver for PKI Certificate enrollment and Revocation checking.
With the simplest of configurations of an inbound permit ip any any on the inside interface this doesn't work. Internal clients connecting from the inside to outside are fine, however the traffic generated by the ASA doesn't pass. My understanding here is there is no state created to allow the traffic to flow out of the outside interface. I got around this by adding an outbound ACL on the outside interface to permit the specific router generated traffic, however this had its own issues as the inside-to-outside client traffic stopped, which meant that additional ACL entries had to be added to allow the traffic from the inside to flow out of the outside.
Does this sound correct? The reality is the inbound ACL on the Inside interface is very strict, allowing only specific hosts & protocols. At the moment the outbound ACL on the outside interface is almost a mirror of the inbound ACL on the inside interface and I don't believe it should be as the inbound ACL on the inside interface should be creating the state?
There isn't too much detail on CCO regarding outbound ACLs on the ASA and their behaviour so I was hoping someone could enlighten me?
Hopefully that makes sense (to someone...)?