https://community.cisco.com/t5/network-security/asa5510-one-way-connection/m-p/2474500#M270012 <HTML><HEAD></HEAD><BODY><P>If the server in the untrusted network is pulling the data then there needs to be a rule on the outside interface allowing that.&nbsp; When a server is pulling data it is that server which is initiating the traffic...even though the actual data is being sent by the trusted server. </P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Sat, 08 Feb 2014 18:43:18 GMT Marius Gunnerud 2014-02-08T18:43:18Z https://community.cisco.com/t5/network-security/asa5510-one-way-connection/m-p/2474497#M270003 <P>Hello </P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; how i can Achive one way Connection without Leave the Higher Security Level Allowed to go to any Less Secure Area</P><P>&nbsp;&nbsp;&nbsp;&nbsp; for Example i have 2 Servers and One Firewall i need to Open into the Trusted Network Port TCP/5450 so the server in the outside (Untrusted Network)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; can Commnuacate and read the Data throgh that Port .</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; the Problem here when i do that the data Cannot Return i have to open the Same Access Rule to the Return path using the Same Port TCP/5450 to </P><P>&nbsp;&nbsp;&nbsp;&nbsp; the Untrusted Network use my attached Pic its Can Help</P> Tue, 12 Mar 2019 03:42:53 GMT https://community.cisco.com/t5/network-security/asa5510-one-way-connection/m-p/2474497#M270003 Ahmad Khalifa 2019-03-12T03:42:53Z https://community.cisco.com/t5/network-security/asa5510-one-way-connection/m-p/2474498#M270007 <HTML><HEAD></HEAD><BODY><P>So the DCS server is the one initiating traffic?&nbsp; would it be possible for you to check with the support team for the server on the untrusted network, to see how this server responds to requests?&nbsp; It is very possible that when the server on the trusted network sends a request to the server on the untrusted network, that the untrusted network server instead of replying to the original request initiates a new traffic stream, which will result in the ASA dropping the packet if a rule is not configured to allow it.</P><P></P><P>Other than that, how have you configured your ACL?&nbsp; It should look something like the following:</P><P></P><P>access-list in-to-out extended permit tcp host 192.168.201.138 host 172.16.4.105 eq 5450</P><P>access-group in-to-out in inside</P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Sat, 08 Feb 2014 17:57:13 GMT https://community.cisco.com/t5/network-security/asa5510-one-way-connection/m-p/2474498#M270007 Marius Gunnerud 2014-02-08T17:57:13Z https://community.cisco.com/t5/network-security/asa5510-one-way-connection/m-p/2474499#M270009 <HTML><HEAD></HEAD><BODY><P>the Server in the untrusted Network is reading data from DCS via tcp/5450 (Pulling Data) the server 172.16.4.105 is who the <SPAN style="font-size: 10pt;">initiating the traffic.&nbsp;&nbsp; is this info. help<SPAN __jive_emoticon_name="confused" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></SPAN></P></BODY></HTML> Sat, 08 Feb 2014 18:39:42 GMT https://community.cisco.com/t5/network-security/asa5510-one-way-connection/m-p/2474499#M270009 Ahmad Khalifa 2014-02-08T18:39:42Z https://community.cisco.com/t5/network-security/asa5510-one-way-connection/m-p/2474500#M270012 <HTML><HEAD></HEAD><BODY><P>If the server in the untrusted network is pulling the data then there needs to be a rule on the outside interface allowing that.&nbsp; When a server is pulling data it is that server which is initiating the traffic...even though the actual data is being sent by the trusted server. </P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Sat, 08 Feb 2014 18:43:18 GMT https://community.cisco.com/t5/network-security/asa5510-one-way-connection/m-p/2474500#M270012 Marius Gunnerud 2014-02-08T18:43:18Z https://community.cisco.com/t5/network-security/asa5510-one-way-connection/m-p/2474501#M270014 <HTML><HEAD></HEAD><BODY><P>so this mean that it have to be 2 access list to allow the traffic via firewall so this 2 way connection </P></BODY></HTML> Sat, 08 Feb 2014 18:58:28 GMT https://community.cisco.com/t5/network-security/asa5510-one-way-connection/m-p/2474501#M270014 Ahmad Khalifa 2014-02-08T18:58:28Z https://community.cisco.com/t5/network-security/asa5510-one-way-connection/m-p/2474502#M270016 <HTML><HEAD></HEAD><BODY><P>I am a little uncertain as I am not 100% sure how the servers handle traffic.&nbsp; But my initial though is that you would only need an access list on the outside interface to permit traffic in.&nbsp; But also since the server being pulled from is on a secure network, this should already have access to the outside unless there is a specific reason it should not have access out.</P><P></P><P>So, yes you would have two access rules for these two servers, but I believe you only actually need one from outside to inside.</P><P></P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Sat, 08 Feb 2014 19:02:35 GMT https://community.cisco.com/t5/network-security/asa5510-one-way-connection/m-p/2474502#M270016 Marius Gunnerud 2014-02-08T19:02:35Z