Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
10
Helpful
5
Replies

ASA5510 one Way Connection

Go to solution
Ahmad Khalifa
Level 1
Level 1

‎02-08-2014 03:42 AM - edited ‎03-11-2019 08:42 PM

Hello

     how i can Achive one way Connection without Leave the Higher Security Level Allowed to go to any Less Secure Area

     for Example i have 2 Servers and One Firewall i need to Open into the Trusted Network Port TCP/5450 so the server in the outside (Untrusted Network)      can Commnuacate and read the Data throgh that Port .

     the Problem here when i do that the data Cannot Return i have to open the Same Access Rule to the Return path using the Same Port TCP/5450 to

     the Untrusted Network use my attached Pic its Can Help

Labels:
Preview file
12 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Ahmad Khalifa

‎02-08-2014 11:02 AM

I am a little uncertain as I am not 100% sure how the servers handle traffic.  But my initial though is that you would only need an access list on the outside interface to permit traffic in.  But also since the server being pulled from is on a secure network, this should already have access to the outside unless there is a specific reason it should not have access out.

So, yes you would have two access rules for these two servers, but I believe you only actually need one from outside to inside.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marius Gunnerud
VIP
VIP

‎02-08-2014 09:57 AM

So the DCS server is the one initiating traffic?  would it be possible for you to check with the support team for the server on the untrusted network, to see how this server responds to requests?  It is very possible that when the server on the trusted network sends a request to the server on the untrusted network, that the untrusted network server instead of replying to the original request initiates a new traffic stream, which will result in the ASA dropping the packet if a rule is not configured to allow it.

Other than that, how have you configured your ACL?  It should look something like the following:

access-list in-to-out extended permit tcp host 192.168.201.138 host 172.16.4.105 eq 5450

access-group in-to-out in inside

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Ahmad Khalifa
Level 1
Level 1
In response to Marius Gunnerud

‎02-08-2014 10:39 AM

the Server in the untrusted Network is reading data from DCS via tcp/5450 (Pulling Data) the server 172.16.4.105 is who the initiating the traffic.   is this info. help

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Ahmad Khalifa

‎02-08-2014 10:43 AM

If the server in the untrusted network is pulling the data then there needs to be a rule on the outside interface allowing that.  When a server is pulling data it is that server which is initiating the traffic...even though the actual data is being sent by the trusted server.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Ahmad Khalifa
Level 1
Level 1
In response to Marius Gunnerud

‎02-08-2014 10:58 AM

so this mean that it have to be 2 access list to allow the traffic via firewall so this 2 way connection

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Ahmad Khalifa

‎02-08-2014 11:02 AM

I am a little uncertain as I am not 100% sure how the servers handle traffic.  But my initial though is that you would only need an access list on the outside interface to permit traffic in.  But also since the server being pulled from is on a secure network, this should already have access to the outside unless there is a specific reason it should not have access out.

So, yes you would have two access rules for these two servers, but I believe you only actually need one from outside to inside.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card