cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
677
Views
0
Helpful
2
Replies

Return reply packet hits different ACL of CIsco ASA

samarjit.das
Level 1
Level 1

Hi

I was analyzing the traffic log of Cisco asa firewall in ASDM  and observed that it showed traffic permitted aganist any any ACL installed in ASA for outside->inside traffic(But traffic intiated from inside->outside). I had newly depolyed a firewall in production with any any access in outside interface too and planned to migrate with specific ACL later on by doing taffic log analysis.I could see lots of traffic coming from outside to inside with source port number 23 and destination port number anything greater than 1024 and those traffic were permitted against any any ACL applied in outisde interface. I am sure that these traffics were initiated from inside to outside network but don't know why it matched with ACL any any applied outisde for return reply packet. Ideally it should come via same session and should not look for any policy in outside interface. 

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Its really hard to comment on this unless you post your configurations (atleast partly)

For example the following

"show run access-list"

"show run access-group"

I don't recomend opening all traffic from outside to inside. Especially if you have Static NAT translations configured on the firewall.

The return traffic to my knowledge doesnt go through any access-list. The ASA should keep track of the connections formed through it and let the return/reply traffic go straight through.

So if you for example open/form a connection from your LAN it hits the ASAs inside interface access-list (usually atleast). All return traffic for that connections passes the ASAs access-list as it has already passed the connection earlier.

- Jouni

Hi

Please check the attached log file. I have enabled notification log in the both  ACLs that permits outbound traffic from 10.244.67.42 to 30.0.0.20 and any any ACL that permit outside initiated traffic to come inside. So in this case I have got notification log for return traffic(outisde to inside) also whose session was actually initiated from inside to outside. But as per the firewall rule, the return taffic would have been permitted based on the exist session. So why ACL applied in outside interface was checked in this case.Any idea?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: