https://community.cisco.com/t5/network-security/asa-inspection-for-inbound-traffic-out-gt-in-with-static-nat/m-p/3987181#M924851 <P>Hi,</P><P>&nbsp;</P><P>I have question regarding Global Packet Inspection on a Cisco ASA.</P><P>So, since by default all traffic from higher security Interface is allowed towards a lower security interface but NOT the other way around, traffic is inspected in&gt;out to create a stateful entry to dynamically allow inbound traffic out&gt;in.</P><P>Now in case of Static 1 to 1 NAT. i.e.</P><P>nat (inside,outside) source static 10.1.1.1 133.133.133.133</P><P>access-list Outside_Access_In ext permit ip any host 10.1.1.1</P><P>Since there is an ACL on the outside interface that is explicitly allowing any outside host inbound towards the inside host, once that ACE is matched, will the packet be inspected inbound aswell? or will it skip inspection as the traffic is already allowed inbound via the ACL.</P><P>To recap the question is, whether inspection is performed for inbound traffic (out&gt;in) if it is already allowed in an inbound ACL.</P><P>&nbsp;</P><P>Kind regards</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Feb 2020 17:42:34 GMT Jay47110 2020-02-21T17:42:34Z https://community.cisco.com/t5/network-security/asa-inspection-for-inbound-traffic-out-gt-in-with-static-nat/m-p/3987181#M924851 <P>Hi,</P><P>&nbsp;</P><P>I have question regarding Global Packet Inspection on a Cisco ASA.</P><P>So, since by default all traffic from higher security Interface is allowed towards a lower security interface but NOT the other way around, traffic is inspected in&gt;out to create a stateful entry to dynamically allow inbound traffic out&gt;in.</P><P>Now in case of Static 1 to 1 NAT. i.e.</P><P>nat (inside,outside) source static 10.1.1.1 133.133.133.133</P><P>access-list Outside_Access_In ext permit ip any host 10.1.1.1</P><P>Since there is an ACL on the outside interface that is explicitly allowing any outside host inbound towards the inside host, once that ACE is matched, will the packet be inspected inbound aswell? or will it skip inspection as the traffic is already allowed inbound via the ACL.</P><P>To recap the question is, whether inspection is performed for inbound traffic (out&gt;in) if it is already allowed in an inbound ACL.</P><P>&nbsp;</P><P>Kind regards</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Feb 2020 17:42:34 GMT https://community.cisco.com/t5/network-security/asa-inspection-for-inbound-traffic-out-gt-in-with-static-nat/m-p/3987181#M924851 Jay47110 2020-02-21T17:42:34Z https://community.cisco.com/t5/network-security/asa-inspection-for-inbound-traffic-out-gt-in-with-static-nat/m-p/3987339#M924853 <P>Hi Jay actually the incoming traffic from outside to inside network matching the outside_in acl will also be inspected. since its applied globally. you could also double check this performing packet-tracer from any address from the outside interface.</P><P>&nbsp;</P><P>regards,&nbsp;</P> Thu, 21 Nov 2019 16:17:41 GMT https://community.cisco.com/t5/network-security/asa-inspection-for-inbound-traffic-out-gt-in-with-static-nat/m-p/3987339#M924853 lwilfredoflor 2019-11-21T16:17:41Z https://community.cisco.com/t5/network-security/asa-inspection-for-inbound-traffic-out-gt-in-with-static-nat/m-p/3987739#M924854 Thanks <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/294678">@lwilfredoflor</a> that was helpful. Fri, 22 Nov 2019 08:57:15 GMT https://community.cisco.com/t5/network-security/asa-inspection-for-inbound-traffic-out-gt-in-with-static-nat/m-p/3987739#M924854 Jay47110 2019-11-22T08:57:15Z