https://community.cisco.com/t5/network-security/asa-traffic-flows/m-p/1805636#M530855 <HTML><HEAD></HEAD><BODY><P>Hi Andrew,</P><P></P><P>If you are trying to access the internet from your internal lan, then:</P><P></P><P>Request would come to ASA inside interface</P><P>NAT statement would be checked and it would PAT to your external public ip.</P><P>The return traffic would hit external ip on ASA</P><P>ASA would see that this is the reply packet to your connection request.</P><P>It would un-nat the external ip to internal lan ip and send it to your lan machine</P><P></P><P>This is how ASA would work, so yes this would work on ASA if thats your question.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Wed, 14 Sep 2011 15:25:11 GMT varrao 2011-09-14T15:25:11Z https://community.cisco.com/t5/network-security/asa-traffic-flows/m-p/1805633#M530851 <P>Hey all, hopefully this should be a nice easy one!</P><P></P><P>I remember being told a while back that ASA devices don't handle traffic very well that goes outbound out of an interface, and then comes back inbound on the same interface.&nbsp; For example:</P><P></P><P>- traffic leaves an internal LAN bound for it internet</P><P>- hits the ASA on an internal interface</P><P>- leaves the ASA external interface on a PAT address (public IP)</P><P>- hits same ASA external interface on a public IP that NATs through to an internal LAN address</P><P>- NATs through to internal LAN</P><P></P><P>Could anyone confirm that this is the case and if this behaviour has a particular name?&nbsp; Like I say, I remember being told that this wouldn't work (I couldn't VPN to our external address from inside our network for example), but I'd like to read up a bit more about it.</P><P></P><P>Thanks!</P> Mon, 11 Mar 2019 21:24:42 GMT https://community.cisco.com/t5/network-security/asa-traffic-flows/m-p/1805633#M530851 andrewburridge 2019-03-11T21:24:42Z https://community.cisco.com/t5/network-security/asa-traffic-flows/m-p/1805634#M530853 <HTML><HEAD></HEAD><BODY><P>Hi Andrew,</P><P></P><P>The flow below is correct as you have stated, but I am not really sure about your question?? Are you doubtful taht the firewall woudl drop the return traffic, because tahts not the case. Firewall is a ststeful device, which means it maintains the state table of the connections and carries out inspection and knows that the return packet is a part of the connection already established.</P><P></P><P>Let me know what you exact query is.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Wed, 14 Sep 2011 13:29:07 GMT https://community.cisco.com/t5/network-security/asa-traffic-flows/m-p/1805634#M530853 varrao 2011-09-14T13:29:07Z https://community.cisco.com/t5/network-security/asa-traffic-flows/m-p/1805635#M530854 <HTML><HEAD></HEAD><BODY><P style="color: #333333; font-family: arial, helvetica, sans-serif; font-size: 10pt; text-align: left; padding: 8px;">Hi Varun,</P><P></P><P>Thanks for your reply. I guess the key to my question is I've always thought that such a traffic flow wouldn't actually work.&nbsp; It doesn't work in our environment at least, and I was always told that this was just due to the inherent nature by which the ASA handles traffic.</P><P></P><P>Thanks.</P></BODY></HTML> Wed, 14 Sep 2011 15:06:43 GMT https://community.cisco.com/t5/network-security/asa-traffic-flows/m-p/1805635#M530854 andrewburridge 2011-09-14T15:06:43Z https://community.cisco.com/t5/network-security/asa-traffic-flows/m-p/1805636#M530855 <HTML><HEAD></HEAD><BODY><P>Hi Andrew,</P><P></P><P>If you are trying to access the internet from your internal lan, then:</P><P></P><P>Request would come to ASA inside interface</P><P>NAT statement would be checked and it would PAT to your external public ip.</P><P>The return traffic would hit external ip on ASA</P><P>ASA would see that this is the reply packet to your connection request.</P><P>It would un-nat the external ip to internal lan ip and send it to your lan machine</P><P></P><P>This is how ASA would work, so yes this would work on ASA if thats your question.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Wed, 14 Sep 2011 15:25:11 GMT https://community.cisco.com/t5/network-security/asa-traffic-flows/m-p/1805636#M530855 varrao 2011-09-14T15:25:11Z