12-04-2013 03:01 AM - edited 03-11-2019 08:12 PM
Hi Community,
I have a Cisco ASA5510 firewall, and I have configured it with ACL in both inbound and outbound interfaces (for more security).
How will this behave with inspections? Will the package be inspected twice? Will problems occour?
ASA fw is running ASA8.2
(inside network) --> (inbound acl) [inside intf-FW-outside intf] -> (outbound acl) --> (internet)
Regards,
KimYin Wu
CCNA
12-07-2013 11:47 AM
The ACL check and inspection are done once, If the traffic is allowed the connection is entered into the State table. From this point on, traffic from that particular flow is checked against the state table.
if a traffic flow is permitted by the first ACL it encounters no further ACLs are checked, only the state table is checked.
--
Please remember to rate and select a correct answer
12-07-2013 11:54 AM
Hi,
If there is interfaces called LAN and WAN and for example WAN interface has an INBOUND ACL and LAN interface has an OUTBOUND ACL then the packet will be checked against both of these ACL
Example from my ASA
access-group LAN-OUT out interface LAN
access-group WAN-IN in interface WAN
access-list WAN-IN extended permit ip host 3.3.3.3 any
access-list LAN-OUT extended deny ip host 3.3.3.3 any
access-list LAN-OUT extended permit ip any any
ASA# packet-tracer input WAN tcp 3.3.3.3 12345 x.x.x.x 22
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network ROUTER
nat (LAN,WAN) static x.x.x.x
Additional Information:
NAT divert to egress interface LAN
Untranslate x.x.x.x/22 to 10.0.10.1/22
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN-IN in interface WAN
access-list WAN-IN extended permit ip host 3.3.3.3 any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group LAN-OUT out interface LAN
access-list LAN-OUT extended deny ip host 3.3.3.3 any
Additional Information:
Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: LAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: