topic Re: traffic allowed by default from higher to lower security zone in firewall in Network Security

traffic allowed by default from higher to lower security zone in firewall

rocky2024 — Fri, 21 Feb 2020 16:02:54 GMT

Dear All,

In ASA, all traffic allowed by default from higher to lower zone i.e. inside to outside.

1) Do we need to allow return traffic on outside interface ? if yes then understanding will like this, traffic allowed by default from inside to outside but return traffic should be allowed on outside interface in inbound direction. correct?

2) Please clarify whether all type of traffic and all ports TCP/UDP allowed by default from inside to outside ? absolutely all traffic ??? or certain ports are not allowed by default from Inside to outside?

regards,

Sourabh

Re: traffic allowed by default from higher to lower security zone in firewall

Rob Ingram — Thu, 02 Aug 2018 11:57:03 GMT

Hi,
The ASA is stateful and keeps a track of all outbound tcp/udp connections, so when you make a connection outbound it will automatically permit the return traffic.

An exception to this is icmp, it is not stateful like tcp/udp, so you either need to enable "inspect icmp" in the policy map or modify an ACL on the outside interface permitting the traffic.

HTH

Re: traffic allowed by default from higher to lower security zone in firewall

Dennis Mink — Thu, 02 Aug 2018 13:21:53 GMT

in a nutshell, access lists are applied in an ingress direction, so, if you initiate, yes initiate ttraffic for instance on port 80 and hit your inside interface to go to cnn.com the the response from cnn does NOT have to be explicitly permitted.

Re: traffic allowed by default from higher to lower security zone in firewall

rocky2024 — Thu, 02 Aug 2018 18:20:09 GMT

thank you very much