Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2375
Views
0
Helpful
3
Replies

Session table and return traffic across Firewall

sridharlatcw
Level 1
Level 1

‎02-16-2010 11:19 AM - edited ‎03-11-2019 10:10 AM

Hi!

I need your help to understand something about the stateful inspection.

Say we have a source X (initiator) that wants to access a destination Y that is in the "inside"  network of the ASA. The source X is accessing Y across a tunnel.

We have an Crypto ACL allowing this traffic (mandatory to establish tunnel). On the "inside" interface we have an ACL applied but do not have a line allowing Y to reach X.

Since X is the iniator and ASA is configured to allow X->Y, based on the session table will the return traffic be allowed though the inside ACL doesn't allow?

If yes this logic should be applied for normal traffic as well?

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎02-16-2010 12:03 PM 

sridharlatcw wrote:
Hi!
I need your help to understand something about the stateful inspection.
Say we have a source X (initiator) that wants to access a destination Y that is in the "inside"  network of the ASA. The source X is accessing Y across a tunnel.
We have an Crypto ACL allowing this traffic (mandatory to establish tunnel). On the "inside" interface we have an ACL applied but do not have a line allowing Y to reach X.
Since X is the iniator and ASA is configured to allow X->Y, based on the session table will the return traffic be allowed though the inside ACL doesn't allow?
If yes this logic should be applied for normal traffic as well?

As long as the inside acl is applied inbound to the interface then yes return traffic from Y -> X will be allowed because of the stateful nature of the firewall. There are a few exceptions that ie. non-stateful traffic such as GRE etc. would need to be allowed on the inside acl because the firewall doesn't keep state for this protocol. ICMP used to be the same but the ASA now supports ICMP inspection.

And yes this logic applies to normal traffic as well.

Jon

0 Helpful

sridharlatcw
Level 1
Level 1
In response to Jon Marshall

‎02-17-2010 08:36 AM

Oh.. ok that was something I was not aware of. I thought the return traffic would be denied because the ACL (applied inbound on the inside interface) is not allowing it. Anyways... Jon thank you for the explanation, I appreciate that.

-Sridhar L

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to sridharlatcw

‎02-17-2010 08:39 AM 

sridharlatcw wrote:
Oh.. ok that was something I was not aware of. I thought the return traffic would be denied because the ACL (applied inbound on the inside interface) is not allowing it. Anyways... Jon thank you for the explanation, I appreciate that.
-Sridhar L

Sridhar

No problem. glad to have helped.

If you were talking about normal acls on router then yes it would be blocked but because it is a stateful firewall once the connection has been allowed in either direction the return trafffic will be allowed without checking acls.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card