https://community.cisco.com/t5/network-security/session-table-and-return-traffic-across-firewall/m-p/1401314#M722219 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>sridharlatcw wrote:</P><P></P><P>Hi!</P><P></P><P>I need your help to understand something about the stateful inspection.</P><P></P><P>Say we have a source X (initiator) that wants to access a destination Y that is in the "inside"&nbsp; network of the ASA. The source X is accessing Y across a tunnel.</P><P></P><P>We have an Crypto ACL allowing this traffic (mandatory to establish tunnel). On the "inside" interface we have an ACL applied but do not have a line allowing Y to reach X.</P><P></P><P>Since X is the iniator and ASA is configured to allow X-&gt;Y, based on the session table will the return traffic be allowed though the inside ACL doesn't allow?</P><P></P><P>If yes this logic should be applied for normal traffic as well?</P></PRE><P></P><P>As long as the inside acl is applied inbound to the interface then yes return traffic from Y -&gt; X will be allowed because of the stateful nature of the firewall. There are a few exceptions that ie. non-stateful traffic such as GRE etc. would need to be allowed on the inside acl because the firewall doesn't keep state for this protocol. ICMP used to be the same but the ASA now supports ICMP inspection.</P><P></P><P>And yes this logic applies to normal traffic as well.</P><P></P><P>Jon</P></BODY></HTML> Tue, 16 Feb 2010 20:03:39 GMT Jon Marshall 2010-02-16T20:03:39Z https://community.cisco.com/t5/network-security/session-table-and-return-traffic-across-firewall/m-p/1401313#M722215 <P>Hi!</P><P></P><P>I need your help to understand something about the stateful inspection.</P><P></P><P>Say we have a source X (initiator) that wants to access a destination Y that is in the "inside"&nbsp; network of the ASA. The source X is accessing Y across a tunnel.</P><P></P><P>We have an Crypto ACL allowing this traffic (mandatory to establish tunnel). On the "inside" interface we have an ACL applied but do not have a line allowing Y to reach X.</P><P></P><P>Since X is the iniator and ASA is configured to allow X-&gt;Y, based on the session table will the return traffic be allowed though the inside ACL doesn't allow?</P><P></P><P>If yes this logic should be applied for normal traffic as well?</P> Mon, 11 Mar 2019 17:10:27 GMT https://community.cisco.com/t5/network-security/session-table-and-return-traffic-across-firewall/m-p/1401313#M722215 sridharlatcw 2019-03-11T17:10:27Z https://community.cisco.com/t5/network-security/session-table-and-return-traffic-across-firewall/m-p/1401314#M722219 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>sridharlatcw wrote:</P><P></P><P>Hi!</P><P></P><P>I need your help to understand something about the stateful inspection.</P><P></P><P>Say we have a source X (initiator) that wants to access a destination Y that is in the "inside"&nbsp; network of the ASA. The source X is accessing Y across a tunnel.</P><P></P><P>We have an Crypto ACL allowing this traffic (mandatory to establish tunnel). On the "inside" interface we have an ACL applied but do not have a line allowing Y to reach X.</P><P></P><P>Since X is the iniator and ASA is configured to allow X-&gt;Y, based on the session table will the return traffic be allowed though the inside ACL doesn't allow?</P><P></P><P>If yes this logic should be applied for normal traffic as well?</P></PRE><P></P><P>As long as the inside acl is applied inbound to the interface then yes return traffic from Y -&gt; X will be allowed because of the stateful nature of the firewall. There are a few exceptions that ie. non-stateful traffic such as GRE etc. would need to be allowed on the inside acl because the firewall doesn't keep state for this protocol. ICMP used to be the same but the ASA now supports ICMP inspection.</P><P></P><P>And yes this logic applies to normal traffic as well.</P><P></P><P>Jon</P></BODY></HTML> Tue, 16 Feb 2010 20:03:39 GMT https://community.cisco.com/t5/network-security/session-table-and-return-traffic-across-firewall/m-p/1401314#M722219 Jon Marshall 2010-02-16T20:03:39Z https://community.cisco.com/t5/network-security/session-table-and-return-traffic-across-firewall/m-p/1401315#M722222 <HTML><HEAD></HEAD><BODY><P>Oh.. ok that was something I was not aware of. I thought the return traffic would be denied because the ACL (applied inbound on the inside interface) is not allowing it. Anyways... Jon thank you for the explanation, I appreciate that.</P><P></P><P>-Sridhar L</P></BODY></HTML> Wed, 17 Feb 2010 16:36:26 GMT https://community.cisco.com/t5/network-security/session-table-and-return-traffic-across-firewall/m-p/1401315#M722222 sridharlatcw 2010-02-17T16:36:26Z https://community.cisco.com/t5/network-security/session-table-and-return-traffic-across-firewall/m-p/1401316#M722224 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>sridharlatcw wrote:</P><P></P><P>Oh.. ok that was something I was not aware of. I thought the return traffic would be denied because the ACL (applied inbound on the inside interface) is not allowing it. Anyways... Jon thank you for the explanation, I appreciate that.</P><P></P><P>-Sridhar L</P></PRE><P></P><P>Sridhar</P><P></P><P>No problem. glad to have helped.</P><P></P><P>If you were talking about normal acls on router then yes it would be blocked but because it is a stateful firewall once the connection has been allowed in either direction the return trafffic will be allowed without checking acls.</P><P></P><P>Jon</P></BODY></HTML> Wed, 17 Feb 2010 16:39:24 GMT https://community.cisco.com/t5/network-security/session-table-and-return-traffic-across-firewall/m-p/1401316#M722224 Jon Marshall 2010-02-17T16:39:24Z