https://community.cisco.com/t5/network-security/asa-unexpected-bi-directional-access/m-p/1211474#M860846 <P>Hello.</P><P>My Cisco ASA firewall is set to allow inbound HTTPS connections to a webserver, which works great.</P><P></P><P>Exemplified by the log entry below;</P><P></P><P>access-list outside_access_in permitted tcp outside/22.44.55.77(22913) -&gt; inside/WEBSERVER(443) hit-cnt 1 first hit [0xdfea2982, 0x0]</P><P></P><P>However there is also a log entry reflecting traffic back to the client in the other direction "FROM" tcp/443.</P><P></P><P>access-list inside_access_in permitted tcp inside/WEBSERVER(443) -&gt; outside/22.44.55.77(22913) hit-cnt 1 first hit [0xdfea2982, 0x0]</P><P></P><P>I was not expecting this entry or connection as I had planned to block all "outbound" connections from this server.</P><P></P><P>I thought the ASA would be aware of an already existing inbound connection and not need to establish outbound.</P><P></P><P>Can someone please explain this? </P><P></P><P>Thanks.</P> Mon, 11 Mar 2019 15:18:44 GMT mikedelafield 2019-03-11T15:18:44Z https://community.cisco.com/t5/network-security/asa-unexpected-bi-directional-access/m-p/1211474#M860846 <P>Hello.</P><P>My Cisco ASA firewall is set to allow inbound HTTPS connections to a webserver, which works great.</P><P></P><P>Exemplified by the log entry below;</P><P></P><P>access-list outside_access_in permitted tcp outside/22.44.55.77(22913) -&gt; inside/WEBSERVER(443) hit-cnt 1 first hit [0xdfea2982, 0x0]</P><P></P><P>However there is also a log entry reflecting traffic back to the client in the other direction "FROM" tcp/443.</P><P></P><P>access-list inside_access_in permitted tcp inside/WEBSERVER(443) -&gt; outside/22.44.55.77(22913) hit-cnt 1 first hit [0xdfea2982, 0x0]</P><P></P><P>I was not expecting this entry or connection as I had planned to block all "outbound" connections from this server.</P><P></P><P>I thought the ASA would be aware of an already existing inbound connection and not need to establish outbound.</P><P></P><P>Can someone please explain this? </P><P></P><P>Thanks.</P> Mon, 11 Mar 2019 15:18:44 GMT https://community.cisco.com/t5/network-security/asa-unexpected-bi-directional-access/m-p/1211474#M860846 mikedelafield 2019-03-11T15:18:44Z https://community.cisco.com/t5/network-security/asa-unexpected-bi-directional-access/m-p/1211475#M860847 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The second access-list you have seen is for the return traffic to the originating source. </P><P></P><P>The traffic to secure webserver was initiated from outside zone with (SYN flag set). The server has to respond to the connection i.e allow the traffic through that session, server sends back (SYN/ACK) and other request-response via 443 to the source service port. </P><P></P><P>The acl you have seen is normal, it is dynamically opened by ASA and will shutdown as you terminate the session to the server.</P><P></P><P></P></BODY></HTML> Wed, 15 Apr 2009 08:10:59 GMT https://community.cisco.com/t5/network-security/asa-unexpected-bi-directional-access/m-p/1211475#M860847 roshan.maskey 2009-04-15T08:10:59Z https://community.cisco.com/t5/network-security/asa-unexpected-bi-directional-access/m-p/1211476#M860849 <HTML><HEAD></HEAD><BODY><P>couple of questions.</P><P></P><P>1) do you have a " service-policy " configured/applied globally on the firewall .</P><P></P><P>2) do you see hits in your ACL for the return traffic.</P></BODY></HTML> Wed, 15 Apr 2009 15:22:49 GMT https://community.cisco.com/t5/network-security/asa-unexpected-bi-directional-access/m-p/1211476#M860849 vikram_anumukonda 2009-04-15T15:22:49Z https://community.cisco.com/t5/network-security/asa-unexpected-bi-directional-access/m-p/1211477#M860851 <HTML><HEAD></HEAD><BODY><P>Hi.</P><P>Thanks for your reply.</P><P></P><P>1) there is no service policy</P><P></P><P>2) yes there are hits for the return traffic on the outbound ACL. </P><P></P><P>I would like to remove the ACL though as it is initiated inbound so should not be required?</P></BODY></HTML> Fri, 17 Apr 2009 09:08:52 GMT https://community.cisco.com/t5/network-security/asa-unexpected-bi-directional-access/m-p/1211477#M860851 mikedelafield 2009-04-17T09:08:52Z https://community.cisco.com/t5/network-security/asa-unexpected-bi-directional-access/m-p/1211478#M860853 <HTML><HEAD></HEAD><BODY><P>Copy paste the below code after which you should not require an ACL for return traffic. This is supposed to be there by default . If this does not help, Pls post your configs.</P><P></P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns maximum-length 512</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect netbios</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect skinny</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect sunrpc</P><P> inspect tftp</P><P> inspect sip</P><P> inspect xdmcp</P><P>!</P><P>service-policy global_policy global</P><P>!</P><P></P><P></P><P></P><P>HTH</P><P>Vikram</P></BODY></HTML> Fri, 17 Apr 2009 09:39:24 GMT https://community.cisco.com/t5/network-security/asa-unexpected-bi-directional-access/m-p/1211478#M860853 vikram_anumukonda 2009-04-17T09:39:24Z