I hit an issue recently which I sort of understand but would like some clarification as to the behaviour.
I have an ASA that has just two interfaces - inside security-100 & outside security-0 (the reality is slightly different but this is easier to explain). The ASA needs to sync with an NTP server available on the outside interface, it also needs to resolve names using DNS to a couple of servers again reachable via the outside interface. Finally it needs to reach a webserver for PKI Certificate enrollment and Revocation checking.
With the simplest of configurations of an inbound permit ip any any on the inside interface this doesn't work. Internal clients connecting from the inside to outside are fine, however the traffic generated by the ASA doesn't pass. My understanding here is there is no state created to allow the traffic to flow out of the outside interface. I got around this by adding an outbound ACL on the outside interface to permit the specific router generated traffic, however this had its own issues as the inside-to-outside client traffic stopped, which meant that additional ACL entries had to be added to allow the traffic from the inside to flow out of the outside.
Does this sound correct? The reality is the inbound ACL on the Inside interface is very strict, allowing only specific hosts & protocols. At the moment the outbound ACL on the outside interface is almost a mirror of the inbound ACL on the inside interface and I don't believe it should be as the inbound ACL on the inside interface should be creating the state?
There isn't too much detail on CCO regarding outbound ACLs on the ASA and their behaviour so I was hoping someone could enlighten me?
Without the outbound ACL being applied to the outside interface the router was unable to reach any of the services it needed to reach via the outside interface (NTP, DNS or HTTP). I think this is why I was confused, unfortunatley I don't have access to the ASA at the moment so this is all from memory.
What I can remember is attempting to enroll for certificates from the external webserver and this required DNS to lookup the name, NTP to be synchronised so it could enroll and HTTP access to the webserver it was enrolling to. None of this worked initially, are you saying that without any configuration (except interface IP addressed and routes) this should have worked?
It is obvious I need to take another look at this as it appears this should have worked without any ACLs applied outbound on the Outside interface. I am aware of all the commands you have listed - slightly confused why I would ever want to enable HTTP & SSH access to the ASA from the outside?
Anyway if I get chance to look at this again then I'll remove the outbound ACLs and re-test. This was for a customer so it is possible they have done this themselves now anyway.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :