cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


3054
Views
5
Helpful
2
Replies
Highlighted
Beginner

Cisco ASA acl on inbound and outbound

Hi Community,

I have a Cisco ASA5510 firewall, and I have configured it with ACL in both inbound and outbound interfaces (for more security).

How will this behave with inspections? Will the package be inspected twice? Will problems occour?

ASA fw is running ASA8.2

(inside network) --> (inbound acl) [inside intf-FW-outside intf] -> (outbound acl) --> (internet)

Regards,

KimYin Wu

CCNA

Everyone's tags (4)
2 REPLIES 2
VIP Advocate

Cisco ASA acl on inbound and outbound

The ACL check and inspection are done once,  If the traffic is allowed the connection is entered into the State table.  From this point on, traffic from that particular flow is checked against the state table.

if a traffic flow is permitted by the first ACL it encounters no further ACLs are checked, only the state table is checked.

--
Please remember to rate and select a correct answer

--
Please remember to rate and select a correct answer
Mentor

Re: Cisco ASA acl on inbound and outbound

Hi,

If there is interfaces called LAN and WAN and for example WAN interface has an INBOUND ACL and LAN interface has an OUTBOUND ACL then the packet will be checked against both of these ACL

Example from my ASA

access-group LAN-OUT out interface LAN

access-group WAN-IN in interface WAN

access-list WAN-IN extended permit ip host 3.3.3.3 any

access-list LAN-OUT extended deny ip host 3.3.3.3 any

access-list LAN-OUT extended permit ip any any

ASA# packet-tracer input WAN tcp 3.3.3.3 12345 x.x.x.x 22

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network ROUTER

nat (LAN,WAN) static x.x.x.x

Additional Information:

NAT divert to egress interface LAN

Untranslate x.x.x.x/22 to 10.0.10.1/22

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group WAN-IN in interface WAN

access-list WAN-IN extended permit ip host 3.3.3.3 any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group LAN-OUT out interface LAN

access-list LAN-OUT extended deny ip host 3.3.3.3 any

Additional Information:

Result:

input-interface: WAN

input-status: up

input-line-status: up

output-interface: LAN

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

- Jouni