PIX denying on SYN/ACK

dharris5000 · ‎11-27-2007

On an ASA 5500 I have setup basic extended access-lists (eg access-list inside_access_out)

My connections work, however I am seeing alot of Denies such as:

Deny tcp src 192.168.1.1/80 to 192.168.2.1:65535 which is the reply to a connection started on the internal interface.

Even with the denies, the connections still work but I don't know why i am seeing these. I have applied the access-lists to access-groups using the access-group "in" interface inside

Can anyone also tell me how ASA regards inbound/outbound to an interface? Is inbound describing a packet coming into an interface externally or through the firewall, say from inside interface to outside interface

cheers

amritpatek · ‎12-04-2007

You are correct, inbound is for a packet entering into the interface and outbound is for a packet leaving the interface. So the rules of inbound ACL are applied when a packet enters the interface and rules of outbound ACL are applied when a packet leaves the interface. The reason you are getting Deny messages could be because these reply messages donot meet the standard for the connection setup, one possible case could be that the other machine maybe trying to open up a different connection to the machine which is starting the connection and these packets are denied by the PIX/ASA. This is a typical behaviour of some applications.