Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4105
Views
5
Helpful
2
Replies

Cisco ASA acl on inbound and outbound

kimyinwuCCNA
Level 1
Level 1

‎12-04-2013 03:01 AM - edited ‎03-11-2019 08:12 PM

Hi Community,

I have a Cisco ASA5510 firewall, and I have configured it with ACL in both inbound and outbound interfaces (for more security).

How will this behave with inspections? Will the package be inspected twice? Will problems occour?

ASA fw is running ASA8.2

(inside network) --> (inbound acl) [inside intf-FW-outside intf] -> (outbound acl) --> (internet)

Regards,

KimYin Wu

CCNA

Labels:
2 Replies 2

Marius Gunnerud
VIP
VIP

‎12-07-2013 11:47 AM

The ACL check and inspection are done once,  If the traffic is allowed the connection is entered into the State table.  From this point on, traffic from that particular flow is checked against the state table.

if a traffic flow is permitted by the first ACL it encounters no further ACLs are checked, only the state table is checked.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Marius Gunnerud

‎12-07-2013 11:54 AM

Hi,

If there is interfaces called LAN and WAN and for example WAN interface has an INBOUND ACL and LAN interface has an OUTBOUND ACL then the packet will be checked against both of these ACL

Example from my ASA

access-group LAN-OUT out interface LAN

access-group WAN-IN in interface WAN

access-list WAN-IN extended permit ip host 3.3.3.3 any

access-list LAN-OUT extended deny ip host 3.3.3.3 any

access-list LAN-OUT extended permit ip any any

ASA# packet-tracer input WAN tcp 3.3.3.3 12345 x.x.x.x 22

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network ROUTER

nat (LAN,WAN) static x.x.x.x

Additional Information:

NAT divert to egress interface LAN

Untranslate x.x.x.x/22 to 10.0.10.1/22

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group WAN-IN in interface WAN

access-list WAN-IN extended permit ip host 3.3.3.3 any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group LAN-OUT out interface LAN

access-list LAN-OUT extended deny ip host 3.3.3.3 any

Additional Information:

Result:

input-interface: WAN

input-status: up

input-line-status: up

output-interface: LAN

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card