ASA Stateful traffic

Unanswered Question
Dec 23rd, 2009
User Badges:

Cisco ASA5520

ASA 8.2(1)

ASDM 6.2(1)


Hi, i am new to the cisco asa firewall.

I have a request from customer to allow only stateful traffic from 1 interface(intranet zone) to another interface(User zone) on the firewall.


How can this be achieved?

Correct me if i am wrong. All ACL created on the ASA firewall are already stateful is in nature?


Please advise

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 12/23/2009 - 02:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

J_Vansen_S wrote:


Cisco ASA5520

ASA 8.2(1)

ASDM 6.2(1)


Hi, i am new to the cisco asa firewall.

I have a request from customer to allow only stateful traffic from 1 interface(intranet zone) to another interface(User zone) on the firewall.


How can this be achieved?

Correct me if i am wrong. All ACL created on the ASA firewall are already stateful is in nature?


Please advise


You probably need more clarification from the customer.


You are right in what you say in that the ASA is a stateful firewall so all traffic that can have a state ie. TCP/ICMP/UDP is statefully tracked by the ASA.


What the customer may mean is only allow traffic from intranet zone for connections that have been initiated from the user zone ie. no connections can be initiated from the intranet zone to the user zone but traffic that is part of an existing connection is allowed.


But as i say, you need to clarify this with the customer.


Jon

J_Vansen_S Wed, 12/23/2009 - 18:40
User Badges:

Thanks Jon for your reply.


You are right that my customer means allowing traffic from intra zone for connection initaited from user zone.

Is this achieved by doing a simple ACL? source-destination-port-allow? without any extra configuration


Please advise


Jocelyn

Kureli Sankar Wed, 12/23/2009 - 19:26
User Badges:
  • Cisco Employee,

Joycelyn,

Allowing outside to inside requires the following done.


1. Depending on which inside host (higher security) they need to get to from the outside (lower security), you need to provide static translation or nat exemption with acl for the inside host. static (i,o) o.o.o.o i.i.i.i   - o.o.o.o is the translated address and i.i.i.i is the inside address


2. Then you need to allow this port and protocol like you said on the ACL applied on the outside.


3. Routing has to be configured so, the inside source knows how to get to the outside host and vice versa.


Once all 3 are done traffic will start to flow as expected.


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html


You can read about static nat and nat exemption in the above link.


-KS

Actions

This Discussion