Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
321
Views
0
Helpful
2
Replies

Default Rule Query

Go to solution
neil_cco_2094
Level 1
Level 1

‎06-05-2013 03:24 AM - edited ‎03-11-2019 06:53 PM

Hi All,

This is more of a clarification request of my understanding than a support issue.

A firewall is typically locked down using ACLs on the inside & outside interfaces, and there are various static NAT statements for servers that are reachable on the outside hosting web/e-mail etc you get the idea.

I have a host network on the inside say 10.0.0.0/24, which appears in my inside ACL, as an ACE, permit source 10.0.0.0/24 any

I then create a PAT statement to overload this traffic to the outside interface.

My outside ACL does not have a ACE that says permit source any dest outside IP of firewall.

Default packet inspection is as per default i.e. no HTTP.

My understanding was that as soon as an ACL is applied to an interface the rule of High to Low is now null and void, but the above works but surely I should need to put a ACE statement on the outside ACL, applied to my outside interface, saying permit source any dest IP address of my firewall?

Is there some other default rule that allows traffic back in, or have am I lacking something in my understanding?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-05-2013 03:33 AM

Hi,

You are correct about the logic with "security-level" value. If we presume that NO ACLs are configured and attached to firewall interfaces then the "security-level" is the main thing controlling traffic. Additional configurations are only required when you configure 2 interface with the same "security-level" value OR traffic needs to enter and leave the same interface on the firewall

With regards to the traffic control with ACL..

Unlike a Router, the ASA firewall for example is a statefull firewall that keeps track of the state of the connections/translations

So if the ASA has allowed an connection through it, it will then automatically allow the return traffic as it already has an allowed connection formed from a trusted source (according to its configuration) in its connection table.

That is why you dont need any separate ACL on a firewall permitting the return traffic.

On the Cisco routers on the other hand you might have to take account both directions of the traffic as it doesnt really keep track of the connections through it in the same way the firewall does.

Hope this helps

Please mark the reply as the correct answer if you felt that it was the correct answer and/or rate helpfull answers.

Naturally ask more if needed

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-05-2013 03:33 AM

Hi,

You are correct about the logic with "security-level" value. If we presume that NO ACLs are configured and attached to firewall interfaces then the "security-level" is the main thing controlling traffic. Additional configurations are only required when you configure 2 interface with the same "security-level" value OR traffic needs to enter and leave the same interface on the firewall

With regards to the traffic control with ACL..

Unlike a Router, the ASA firewall for example is a statefull firewall that keeps track of the state of the connections/translations

So if the ASA has allowed an connection through it, it will then automatically allow the return traffic as it already has an allowed connection formed from a trusted source (according to its configuration) in its connection table.

That is why you dont need any separate ACL on a firewall permitting the return traffic.

On the Cisco routers on the other hand you might have to take account both directions of the traffic as it doesnt really keep track of the connections through it in the same way the firewall does.

Hope this helps

Please mark the reply as the correct answer if you felt that it was the correct answer and/or rate helpfull answers.

Naturally ask more if needed

- Jouni

0 Helpful

Go to solution
neil_cco_2094
Level 1
Level 1
In response to Jouni Forss

‎06-06-2013 05:32 AM

OK I see, so even though once there is an ACL on the outside interface, the implicit deny all does not effect return traffic with an exisiting connection entry though the firewall.

I think I had a small misunderstanding in my firewall concept.

Many thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card