Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1134
Views
0
Helpful
3
Replies

CIsco stateful ACL

cisco8887
Level 2
Level 2

‎02-11-2016 07:33 AM - edited ‎03-12-2019 12:16 AM

Hi Guys,

Is there a way to see the stateful ACL which the ASA applies ?

If I initiate a traffic from Inside to internet, it creates a hole on outside in . how can I see that invisible ACL and no access-group was applied.

IN another way how does the ASA keeps tracks of connections and how can I see the stats?

For instance reflective ACL will put the reverse of the acl which you can see.

I am asking so I am trying to find out if I can block connections initiated on a S2S tunnel from s2 to s1 but when traffic is initiated from S1 to S2 allow it .

Thanks

Labels:
0 Helpful
3 Replies 3

Cisco Freak
Level 4
Level 4

‎02-11-2016 09:32 AM

Please make use of this command to view the details:

Corp-fw01# show local-host ?

Hostname or A.B.C.D Show local host information corresponding to this ip
address
Hostname or X:X:X:X::X Show local host information corresponding to an IPV6
address
all To show connections including to-the-box and
from-the-box
brief Enter this keyword for brief information
connection Show local host information based on the number of
connections
detail Enter this keyword for detailed information
| Output modifiers
<cr>

0 Helpful

Cisco Freak
Level 4
Level 4
In response to Cisco Freak

‎02-11-2016 09:33 AM

This is also handy:

Corp-fw01# sh conn ?

address Enter this keyword to specify IP address
all Enter this keyword to show conns including to-the-box and
from-the-box
count Enter this keyword to show conn count only
detail Enter this keyword to show conn in detail
long Enter this keyword to show conn in long format
port Enter this keyword to specify port
protocol Enter this keyword to specify conn protocol
scansafe Enter this keyword to show conns being forwarded to scansafe
server
security-group Enter this keyword to show security-group attributes in conns
state Enter this keyword to specify conn state
user Enter this keyword to specify conn user
user-group Enter this keyword to specify conn user group
user-identity Enter this keyword to show user names
| Output modifiers
<cr>
Corp-fw01# sh conn c
Corp-fw01# sh conn count
9586 in use, 47347 most used

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎02-11-2016 10:57 AM

The ASA keeps track with it's state table not by adding lines to any acls.

If you want to block traffic from being initiated from one side but allow return traffic from the same side then that is exactly what a  stateful firewall is for.

For your request just use an acl on the inside interface in the inbound direction at s2 that denies traffic to s1 and that should work.

If you do use that make sure after you deny that traffic you obviously allow all other traffic from the inside or you will cut everyone off.

Then if s1 makes the connection to s2 and it is allowed through because the ASA at s2 has an entry in the state table the return traffic from s2 to s1 will not be checked against the inside interface acl.

Like I say though make sure you allow all other traffic in the acl.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card