Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5510 one Way Connection

Hello

     how i can Achive one way Connection without Leave the Higher Security Level Allowed to go to any Less Secure Area

     for Example i have 2 Servers and One Firewall i need to Open into the Trusted Network Port TCP/5450 so the server in the outside (Untrusted Network)      can Commnuacate and read the Data throgh that Port .

     the Problem here when i do that the data Cannot Return i have to open the Same Access Rule to the Return path using the Same Port TCP/5450 to

     the Untrusted Network use my attached Pic its Can Help

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

ASA5510 one Way Connection

I am a little uncertain as I am not 100% sure how the servers handle traffic.  But my initial though is that you would only need an access list on the outside interface to permit traffic in.  But also since the server being pulled from is on a secure network, this should already have access to the outside unless there is a specific reason it should not have access out.

So, yes you would have two access rules for these two servers, but I believe you only actually need one from outside to inside.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
5 REPLIES
VIP Green

ASA5510 one Way Connection

So the DCS server is the one initiating traffic?  would it be possible for you to check with the support team for the server on the untrusted network, to see how this server responds to requests?  It is very possible that when the server on the trusted network sends a request to the server on the untrusted network, that the untrusted network server instead of replying to the original request initiates a new traffic stream, which will result in the ASA dropping the packet if a rule is not configured to allow it.

Other than that, how have you configured your ACL?  It should look something like the following:

access-list in-to-out extended permit tcp host 192.168.201.138 host 172.16.4.105 eq 5450

access-group in-to-out in inside

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

ASA5510 one Way Connection

the Server in the untrusted Network is reading data from DCS via tcp/5450 (Pulling Data) the server 172.16.4.105 is who the initiating the traffic.   is this info. help

VIP Green

ASA5510 one Way Connection

If the server in the untrusted network is pulling the data then there needs to be a rule on the outside interface allowing that.  When a server is pulling data it is that server which is initiating the traffic...even though the actual data is being sent by the trusted server.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

ASA5510 one Way Connection

so this mean that it have to be 2 access list to allow the traffic via firewall so this 2 way connection

VIP Green

ASA5510 one Way Connection

I am a little uncertain as I am not 100% sure how the servers handle traffic.  But my initial though is that you would only need an access list on the outside interface to permit traffic in.  But also since the server being pulled from is on a secure network, this should already have access to the outside unless there is a specific reason it should not have access out.

So, yes you would have two access rules for these two servers, but I believe you only actually need one from outside to inside.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
118
Views
10
Helpful
5
Replies