Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Session table and return traffic across Firewall

Hi!

I need your help to understand something about the stateful inspection.

Say we have a source X (initiator) that wants to access a destination Y that is in the "inside"  network of the ASA. The source X is accessing Y across a tunnel.

We have an Crypto ACL allowing this traffic (mandatory to establish tunnel). On the "inside" interface we have an ACL applied but do not have a line allowing Y to reach X.

Since X is the iniator and ASA is configured to allow X->Y, based on the session table will the return traffic be allowed though the inside ACL doesn't allow?

If yes this logic should be applied for normal traffic as well?

Everyone's tags (2)
3 REPLIES
Hall of Fame Super Blue

Re: Session table and return traffic across Firewall

sridharlatcw wrote:

Hi!

I need your help to understand something about the stateful inspection.

Say we have a source X (initiator) that wants to access a destination Y that is in the "inside"  network of the ASA. The source X is accessing Y across a tunnel.

We have an Crypto ACL allowing this traffic (mandatory to establish tunnel). On the "inside" interface we have an ACL applied but do not have a line allowing Y to reach X.

Since X is the iniator and ASA is configured to allow X->Y, based on the session table will the return traffic be allowed though the inside ACL doesn't allow?

If yes this logic should be applied for normal traffic as well?

As long as the inside acl is applied inbound to the interface then yes return traffic from Y -> X will be allowed because of the stateful nature of the firewall. There are a few exceptions that ie. non-stateful traffic such as GRE etc. would need to be allowed on the inside acl because the firewall doesn't keep state for this protocol. ICMP used to be the same but the ASA now supports ICMP inspection.

And yes this logic applies to normal traffic as well.

Jon

New Member

Re: Session table and return traffic across Firewall

Oh.. ok that was something I was not aware of. I thought the return traffic would be denied because the ACL (applied inbound on the inside interface) is not allowing it. Anyways... Jon thank you for the explanation, I appreciate that.

-Sridhar L

Hall of Fame Super Blue

Re: Session table and return traffic across Firewall

sridharlatcw wrote:

Oh.. ok that was something I was not aware of. I thought the return traffic would be denied because the ACL (applied inbound on the inside interface) is not allowing it. Anyways... Jon thank you for the explanation, I appreciate that.

-Sridhar L

Sridhar

No problem. glad to have helped.

If you were talking about normal acls on router then yes it would be blocked but because it is a stateful firewall once the connection has been allowed in either direction the return trafffic will be allowed without checking acls.

Jon

1053
Views
0
Helpful
3
Replies