Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
706
Views
0
Helpful
2
Replies

How does NAT, Stateful connection and access-list fit together?

Go to solution
dan_track
Level 1
Level 1

‎03-18-2010 05:40 AM - edited ‎03-11-2019 10:23 AM

Hi,

I'm confused basically I've got an interface on my asa firewall that I need to ensure is locked down via an access-list. My acl will look like this:

interface GigabitEthernet0/1.242
description Site2

vlan 242
nameif dmz-site2
security-level 58
ip address 10.4.9.1 255.255.255.248

access-list site2-acl extended permit icmp any any

and then I apply it with :

access-group site2-acl in interface dmz-site2

And I setup nat:

nat (inside) 2 access-list site2-nat
global (dmz-site2) 2  interface

As you can see from the above only icmp will be allowed in, any other connections will be dropped. However let's say I initiate a connection to site 2 from inside what will happen to the return traffic from site2? As I currently see it the acl "site2-acl" will block traffic from site2 as it doesn't allow any traffic in?

Can someone please explain the process to me.

Thanks

Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-18-2010 07:05 AM 

dan_track wrote:
Hi,
I'm confused basically I've got an interface on my asa firewall that I need to ensure is locked down via an access-list. My acl will look like this:
interface GigabitEthernet0/1.242
 description Site2
vlan 242
 nameif dmz-site2
 security-level 58
 ip address 10.4.9.1 255.255.255.248
access-list site2-acl extended permit icmp any any
and then I apply it with :
access-group site2-acl in interface dmz-site2
And I setup nat:
nat (inside) 2 access-list site2-nat
global (dmz-site2) 2  interface
As you can see from the above only icmp will be allowed in, any other connections will be dropped. However let's say I initiate a connection to site 2 from inside what will happen to the return traffic from site2? As I currently see it the acl "site2-acl" will block traffic from site2 as it doesn't allow any traffic in?
Can someone please explain the process to me.
Thanks
Dan

Dan

Your acl will block any connections initiated from dmz-site2 to anywhere except for ICMP. However it will not block return traffic because that is what a stateful firewall is all about. So if you initiate a connection from inside and that traffic is allowed onto the dmz-site2 then the return traffic will not be checked against the site2-acl.

It's the same for traffic initiated from the outside. If it is allowed onto dmz-site2 then the return traffic will be allowed back out ie. site2-acl will not be checked.

The above applies to protocols that a stateful firewall can keep state for. TCP/UDP have always been that way. ICMP inspection was added in version 7.x so it applies to ICMP as well now as long as you enable ICMP inspection on the firewall.

There are other protocols however such as GRE which are not stateful and if they are not stateful then the return traffic would be checked against the site2-acl.

Having said that, the vast majority of apps going through a firewall are TCP/UDP so what i have outlined above applies to most traffic.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-18-2010 07:05 AM 

dan_track wrote:
Hi,
I'm confused basically I've got an interface on my asa firewall that I need to ensure is locked down via an access-list. My acl will look like this:
interface GigabitEthernet0/1.242
 description Site2
vlan 242
 nameif dmz-site2
 security-level 58
 ip address 10.4.9.1 255.255.255.248
access-list site2-acl extended permit icmp any any
and then I apply it with :
access-group site2-acl in interface dmz-site2
And I setup nat:
nat (inside) 2 access-list site2-nat
global (dmz-site2) 2  interface
As you can see from the above only icmp will be allowed in, any other connections will be dropped. However let's say I initiate a connection to site 2 from inside what will happen to the return traffic from site2? As I currently see it the acl "site2-acl" will block traffic from site2 as it doesn't allow any traffic in?
Can someone please explain the process to me.
Thanks
Dan

Dan

Your acl will block any connections initiated from dmz-site2 to anywhere except for ICMP. However it will not block return traffic because that is what a stateful firewall is all about. So if you initiate a connection from inside and that traffic is allowed onto the dmz-site2 then the return traffic will not be checked against the site2-acl.

It's the same for traffic initiated from the outside. If it is allowed onto dmz-site2 then the return traffic will be allowed back out ie. site2-acl will not be checked.

The above applies to protocols that a stateful firewall can keep state for. TCP/UDP have always been that way. ICMP inspection was added in version 7.x so it applies to ICMP as well now as long as you enable ICMP inspection on the firewall.

There are other protocols however such as GRE which are not stateful and if they are not stateful then the return traffic would be checked against the site2-acl.

Having said that, the vast majority of apps going through a firewall are TCP/UDP so what i have outlined above applies to most traffic.

Jon

0 Helpful

Go to solution
dan_track
Level 1
Level 1
In response to Jon Marshall

‎03-18-2010 07:24 AM

Thanks Jon,

Great insight. Much appreciated.

Dan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card