https://community.cisco.com/t5/network-security/default-rule-query/m-p/2209607#M348624 <P>Hi All,</P><P></P><P>This is more of a clarification request of my understanding than a support issue. </P><P></P><P>A firewall is typically locked down using ACLs on the inside &amp; outside interfaces, and there are various static NAT statements for servers that are reachable on the outside hosting web/e-mail etc you get the idea. </P><P></P><P>I have a host network on the inside say 10.0.0.0/24, which appears in my inside ACL, as an ACE, permit source 10.0.0.0/24 any </P><P>I then create a PAT statement to overload this traffic to the outside interface. </P><P>My outside ACL<SPAN style="text-decoration: underline;"> does not</SPAN> have a ACE that says permit source any dest outside IP of firewall. </P><P>Default packet inspection is as per default i.e. no HTTP. </P><P></P><P></P><P>My understanding was that as soon as an ACL is applied to an interface the rule of High to Low is now null and void, but the above works but surely I should need to put a ACE statement on the outside ACL, applied to my outside interface, saying permit source any dest IP address of my firewall? </P><P></P><P>Is there some other default rule that allows traffic back in, or have am I lacking something in my understanding?</P> Tue, 12 Mar 2019 01:53:19 GMT neil_cco_2094 2019-03-12T01:53:19Z https://community.cisco.com/t5/network-security/default-rule-query/m-p/2209607#M348624 <P>Hi All,</P><P></P><P>This is more of a clarification request of my understanding than a support issue. </P><P></P><P>A firewall is typically locked down using ACLs on the inside &amp; outside interfaces, and there are various static NAT statements for servers that are reachable on the outside hosting web/e-mail etc you get the idea. </P><P></P><P>I have a host network on the inside say 10.0.0.0/24, which appears in my inside ACL, as an ACE, permit source 10.0.0.0/24 any </P><P>I then create a PAT statement to overload this traffic to the outside interface. </P><P>My outside ACL<SPAN style="text-decoration: underline;"> does not</SPAN> have a ACE that says permit source any dest outside IP of firewall. </P><P>Default packet inspection is as per default i.e. no HTTP. </P><P></P><P></P><P>My understanding was that as soon as an ACL is applied to an interface the rule of High to Low is now null and void, but the above works but surely I should need to put a ACE statement on the outside ACL, applied to my outside interface, saying permit source any dest IP address of my firewall? </P><P></P><P>Is there some other default rule that allows traffic back in, or have am I lacking something in my understanding?</P> Tue, 12 Mar 2019 01:53:19 GMT https://community.cisco.com/t5/network-security/default-rule-query/m-p/2209607#M348624 neil_cco_2094 2019-03-12T01:53:19Z https://community.cisco.com/t5/network-security/default-rule-query/m-p/2209608#M348625 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You are correct about the logic with <STRONG>"security-level"</STRONG> value. If we presume that NO ACLs are configured and attached to firewall interfaces then the <STRONG>"security-level"</STRONG> is the main thing controlling traffic. Additional configurations are only required when you configure 2 interface with the same <STRONG>"security-level"</STRONG> value OR traffic needs to enter and leave the same interface on the firewall</P><P></P><P>With regards to the traffic control with ACL..</P><P></P><P>Unlike a Router, the ASA firewall for example is a statefull firewall that keeps track of the state of the connections/translations</P><P></P><P>So if the ASA has allowed an connection through it, it will then automatically allow the return traffic as it already has an allowed connection formed from a trusted source (according to its configuration) in its connection table.</P><P></P><P> That is why you dont need any separate ACL on a firewall permitting the return traffic. </P><P></P><P>On the Cisco routers on the other hand you might have to take account both directions of the traffic as it doesnt really keep track of the connections through it in the same way the firewall does.</P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please mark the reply as the correct answer if you felt that it was the correct answer and/or rate helpfull answers.</P><P></P><P>Naturally ask more if needed</P><P></P><P>- Jouni</P></BODY></HTML> Wed, 05 Jun 2013 10:33:26 GMT https://community.cisco.com/t5/network-security/default-rule-query/m-p/2209608#M348625 Jouni Forss 2013-06-05T10:33:26Z https://community.cisco.com/t5/network-security/default-rule-query/m-p/2209609#M348626 <HTML><HEAD></HEAD><BODY><P>OK I see, so even though once there is an ACL on the outside interface, the implicit deny all does not effect return traffic with an exisiting connection entry though the firewall. </P><P>I think I had a small misunderstanding in my firewall concept. </P><P></P><P>Many thanks </P></BODY></HTML> Thu, 06 Jun 2013 12:32:05 GMT https://community.cisco.com/t5/network-security/default-rule-query/m-p/2209609#M348626 neil_cco_2094 2013-06-06T12:32:05Z