ASA Stateful traffic

Unanswered Question
Dec 23rd, 2009

Cisco ASA5520

ASA 8.2(1)

ASDM 6.2(1)

Hi, i am new to the cisco asa firewall.

I have a request from customer to allow only stateful traffic from 1 interface(intranet zone) to another interface(User zone) on the firewall.

How can this be achieved?

Correct me if i am wrong. All ACL created on the ASA firewall are already stateful is in nature?

Please advise

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 12/23/2009 - 02:45

J_Vansen_S wrote:

Cisco ASA5520

ASA 8.2(1)

ASDM 6.2(1)

Hi, i am new to the cisco asa firewall.

I have a request from customer to allow only stateful traffic from 1 interface(intranet zone) to another interface(User zone) on the firewall.

How can this be achieved?

Correct me if i am wrong. All ACL created on the ASA firewall are already stateful is in nature?

Please advise

You probably need more clarification from the customer.

You are right in what you say in that the ASA is a stateful firewall so all traffic that can have a state ie. TCP/ICMP/UDP is statefully tracked by the ASA.

What the customer may mean is only allow traffic from intranet zone for connections that have been initiated from the user zone ie. no connections can be initiated from the intranet zone to the user zone but traffic that is part of an existing connection is allowed.

But as i say, you need to clarify this with the customer.

Jon

J_Vansen_S Wed, 12/23/2009 - 18:40

Thanks Jon for your reply.

You are right that my customer means allowing traffic from intra zone for connection initaited from user zone.

Is this achieved by doing a simple ACL? source-destination-port-allow? without any extra configuration

Please advise

Jocelyn

Kureli Sankar Wed, 12/23/2009 - 19:26

Joycelyn,

Allowing outside to inside requires the following done.

1. Depending on which inside host (higher security) they need to get to from the outside (lower security), you need to provide static translation or nat exemption with acl for the inside host. static (i,o) o.o.o.o i.i.i.i   - o.o.o.o is the translated address and i.i.i.i is the inside address

2. Then you need to allow this port and protocol like you said on the ACL applied on the outside.

3. Routing has to be configured so, the inside source knows how to get to the outside host and vice versa.

Once all 3 are done traffic will start to flow as expected.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

You can read about static nat and nat exemption in the above link.

-KS

Actions

This Discussion