02-08-2014 03:42 AM - edited 03-11-2019 08:42 PM
Hello
how i can Achive one way Connection without Leave the Higher Security Level Allowed to go to any Less Secure Area
for Example i have 2 Servers and One Firewall i need to Open into the Trusted Network Port TCP/5450 so the server in the outside (Untrusted Network) can Commnuacate and read the Data throgh that Port .
the Problem here when i do that the data Cannot Return i have to open the Same Access Rule to the Return path using the Same Port TCP/5450 to
the Untrusted Network use my attached Pic its Can Help
Solved! Go to Solution.
02-08-2014 11:02 AM
I am a little uncertain as I am not 100% sure how the servers handle traffic. But my initial though is that you would only need an access list on the outside interface to permit traffic in. But also since the server being pulled from is on a secure network, this should already have access to the outside unless there is a specific reason it should not have access out.
So, yes you would have two access rules for these two servers, but I believe you only actually need one from outside to inside.
--
Please remember to rate and select a correct answer
02-08-2014 09:57 AM
So the DCS server is the one initiating traffic? would it be possible for you to check with the support team for the server on the untrusted network, to see how this server responds to requests? It is very possible that when the server on the trusted network sends a request to the server on the untrusted network, that the untrusted network server instead of replying to the original request initiates a new traffic stream, which will result in the ASA dropping the packet if a rule is not configured to allow it.
Other than that, how have you configured your ACL? It should look something like the following:
access-list in-to-out extended permit tcp host 192.168.201.138 host 172.16.4.105 eq 5450
access-group in-to-out in inside
--
Please remember to rate and select a correct answer
02-08-2014 10:39 AM
the Server in the untrusted Network is reading data from DCS via tcp/5450 (Pulling Data) the server 172.16.4.105 is who the initiating the traffic. is this info. help
02-08-2014 10:43 AM
If the server in the untrusted network is pulling the data then there needs to be a rule on the outside interface allowing that. When a server is pulling data it is that server which is initiating the traffic...even though the actual data is being sent by the trusted server.
--
Please remember to rate and select a correct answer
02-08-2014 10:58 AM
so this mean that it have to be 2 access list to allow the traffic via firewall so this 2 way connection
02-08-2014 11:02 AM
I am a little uncertain as I am not 100% sure how the servers handle traffic. But my initial though is that you would only need an access list on the outside interface to permit traffic in. But also since the server being pulled from is on a secure network, this should already have access to the outside unless there is a specific reason it should not have access out.
So, yes you would have two access rules for these two servers, but I believe you only actually need one from outside to inside.
--
Please remember to rate and select a correct answer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: