Session table and return traffic across Firewall

Unanswered Question
Feb 16th, 2010

Hi!

I need your help to understand something about the stateful inspection.

Say we have a source X (initiator) that wants to access a destination Y that is in the "inside"  network of the ASA. The source X is accessing Y across a tunnel.

We have an Crypto ACL allowing this traffic (mandatory to establish tunnel). On the "inside" interface we have an ACL applied but do not have a line allowing Y to reach X.

Since X is the iniator and ASA is configured to allow X->Y, based on the session table will the return traffic be allowed though the inside ACL doesn't allow?

If yes this logic should be applied for normal traffic as well?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 02/16/2010 - 12:03

sridharlatcw wrote:

Hi!

I need your help to understand something about the stateful inspection.

Say we have a source X (initiator) that wants to access a destination Y that is in the "inside"  network of the ASA. The source X is accessing Y across a tunnel.

We have an Crypto ACL allowing this traffic (mandatory to establish tunnel). On the "inside" interface we have an ACL applied but do not have a line allowing Y to reach X.

Since X is the iniator and ASA is configured to allow X->Y, based on the session table will the return traffic be allowed though the inside ACL doesn't allow?

If yes this logic should be applied for normal traffic as well?

As long as the inside acl is applied inbound to the interface then yes return traffic from Y -> X will be allowed because of the stateful nature of the firewall. There are a few exceptions that ie. non-stateful traffic such as GRE etc. would need to be allowed on the inside acl because the firewall doesn't keep state for this protocol. ICMP used to be the same but the ASA now supports ICMP inspection.

And yes this logic applies to normal traffic as well.

Jon

sridharlatcw Wed, 02/17/2010 - 08:36

Oh.. ok that was something I was not aware of. I thought the return traffic would be denied because the ACL (applied inbound on the inside interface) is not allowing it. Anyways... Jon thank you for the explanation, I appreciate that.

-Sridhar L

Jon Marshall Wed, 02/17/2010 - 08:39

sridharlatcw wrote:

Oh.. ok that was something I was not aware of. I thought the return traffic would be denied because the ACL (applied inbound on the inside interface) is not allowing it. Anyways... Jon thank you for the explanation, I appreciate that.

-Sridhar L

Sridhar

No problem. glad to have helped.

If you were talking about normal acls on router then yes it would be blocked but because it is a stateful firewall once the connection has been allowed in either direction the return trafffic will be allowed without checking acls.

Jon

Actions

This Discussion

Related Content