Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6266
Views
0
Helpful
3
Replies

ASA Stateful traffic

J_Vansen_S
Level 3
Level 3

‎12-23-2009 12:37 AM - edited ‎03-11-2019 09:51 AM

Cisco ASA5520

ASA 8.2(1)

ASDM 6.2(1)

Hi, i am new to the cisco asa firewall.

I have a request from customer to allow only stateful traffic from 1 interface(intranet zone) to another interface(User zone) on the firewall.

How can this be achieved?

Correct me if i am wrong. All ACL created on the ASA firewall are already stateful is in nature?

Please advise

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎12-23-2009 02:45 AM 

J_Vansen_S wrote:
Cisco ASA5520
ASA 8.2(1)
ASDM 6.2(1)
Hi, i am new to the cisco asa firewall.
I have a request from customer to allow only stateful traffic from 1 interface(intranet zone) to another interface(User zone) on the firewall.
How can this be achieved?
Correct me if i am wrong. All ACL created on the ASA firewall are already stateful is in nature?
Please advise

You probably need more clarification from the customer.

You are right in what you say in that the ASA is a stateful firewall so all traffic that can have a state ie. TCP/ICMP/UDP is statefully tracked by the ASA.

What the customer may mean is only allow traffic from intranet zone for connections that have been initiated from the user zone ie. no connections can be initiated from the intranet zone to the user zone but traffic that is part of an existing connection is allowed.

But as i say, you need to clarify this with the customer.

Jon

0 Helpful

J_Vansen_S
Level 3
Level 3
In response to Jon Marshall

‎12-23-2009 06:40 PM

Thanks Jon for your reply.

You are right that my customer means allowing traffic from intra zone for connection initaited from user zone.

Is this achieved by doing a simple ACL? source-destination-port-allow? without any extra configuration

Please advise

Jocelyn

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to J_Vansen_S

‎12-23-2009 07:26 PM

Joycelyn,

Allowing outside to inside requires the following done.

1. Depending on which inside host (higher security) they need to get to from the outside (lower security), you need to provide static translation or nat exemption with acl for the inside host. static (i,o) o.o.o.o i.i.i.i   - o.o.o.o is the translated address and i.i.i.i is the inside address

2. Then you need to allow this port and protocol like you said on the ACL applied on the outside.

3. Routing has to be configured so, the inside source knows how to get to the outside host and vice versa.

Once all 3 are done traffic will start to flow as expected.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

You can read about static nat and nat exemption in the above link.

-KS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card