https://community.cisco.com/t5/network-security/statefull-firewall/m-p/4657589#M1092163 <P>IN-FW-OUT<BR />TCP initiate from OUT to server in IN&nbsp;<BR />mandatory you need here ACL in OUT&nbsp;<BR /><BR /></P><P>TCP initiate from IN to server in OUT</P><P>optional to make IN only can access Server in OUT other traffic will deny</P> Tue, 26 Jul 2022 13:50:14 GMT MHM Cisco World 2022-07-26T13:50:14Z https://community.cisco.com/t5/network-security/statefull-firewall/m-p/4657584#M1092162 <P><SPAN>Dear all &nbsp; I am new to Firewall Technologies and I want to ask Regardless of statefull Firewall feature. A statefull firewall maintains the tcp state and knows a user session so why do we need to allow a user to allow in both direction incoming and outgoing for same traffic if the state is already known when the user requests the session is known and the firewall knows for the returning also&nbsp;</SPAN></P> Tue, 26 Jul 2022 13:46:11 GMT https://community.cisco.com/t5/network-security/statefull-firewall/m-p/4657584#M1092162 henockk 2022-07-26T13:46:11Z https://community.cisco.com/t5/network-security/statefull-firewall/m-p/4657589#M1092163 <P>IN-FW-OUT<BR />TCP initiate from OUT to server in IN&nbsp;<BR />mandatory you need here ACL in OUT&nbsp;<BR /><BR /></P><P>TCP initiate from IN to server in OUT</P><P>optional to make IN only can access Server in OUT other traffic will deny</P> Tue, 26 Jul 2022 13:50:14 GMT https://community.cisco.com/t5/network-security/statefull-firewall/m-p/4657589#M1092163 MHM Cisco World 2022-07-26T13:50:14Z https://community.cisco.com/t5/network-security/statefull-firewall/m-p/4657590#M1092164 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1383183">@henockk</a> with a stateful firewall, permitting inside to outside traffic is sufficient to allow traffic initiated from the inside network to outside. The firewall would permit the return traffic.</P> <P>By default traffic from outside to inside is usually denied, unless explictly permitted. You'd only permit traffic from outside to inside if the traffic is initiated on the outside. On a perimeter firewall this is used when accessing a website in the DMZ or when bi-directional traffic is required in a WAN scenario.</P> Tue, 26 Jul 2022 17:02:08 GMT https://community.cisco.com/t5/network-security/statefull-firewall/m-p/4657590#M1092164 Rob Ingram 2022-07-26T17:02:08Z https://community.cisco.com/t5/network-security/statefull-firewall/m-p/4657833#M1092172 <P>What are you asking?&nbsp; Do you mean if a user is already allowed from inside to outside, then if the user moves to the outside network that user should already be allowed access from the outside to inside?</P> <P>The issue here is where the user traffic is generated from.&nbsp; When the traffic is generated from the inside network usually there is an access-list statement, or in some cases a security level, that permits the user access to the outside network.&nbsp; In this case the connection is entered into the state table and return traffic will be allowed.</P> <P>If that user was to move to the outside network and initiates a connection towards the inside the traffic will be denied by default as the user has now initiated a new connection which there is no access-list for.&nbsp; So, in short, what gets added to the state table depends on where the traffic is being initiated from and if there are access rules that allow the connection (and possibly NAT statements)</P> Tue, 26 Jul 2022 19:59:53 GMT https://community.cisco.com/t5/network-security/statefull-firewall/m-p/4657833#M1092172 Marius Gunnerud 2022-07-26T19:59:53Z