Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
3
Replies

why it can surf internet in this case

martlee2
Cisco Employee
Cisco Employee

‎05-08-2015 07:05 AM - last edited on ‎03-25-2019 05:55 PM by Community Manager

 

in ASA access rule

Rule 1   deny any source address to destination 192.168.1.254

Rule 2   permit any source address to destination 192.168.1.0/24

 

why it can still surf internet when it deny from outside to gateway ?

why there is rule 2? doesn't all traffic meet rule 1 ?

i am confused about this setting when troubleshooting apple tv can not watch or Buy with UDP

 

 

Labels:
0 Helpful
3 Replies 3

ROHIT SHARMA
Level 1
Level 1

‎05-08-2015 08:08 AM

Hi,

 

This set of 2 rules simply allows access to all ip addresses in 192.168.1.0/24 subnet except 192.168.1.254.

"why it can still surf internet when it deny from outside to gateway ?"

for this you have paste ur config here. normally surfing internet should mean "to outside" not from outside.

"why there is rule 2? doesn't all traffic meet rule 1 ?"

check first line.

It'll be helpful you could elaborate your scenario.

 

Thanks,

Rohit

0 Helpful

martlee2
Cisco Employee
Cisco Employee
In response to ROHIT SHARMA

‎05-08-2015 06:39 PM

After search,router do not edit source ip address and port

then this make me understand why it can go to rule 2 

but i am confused which outside port it use to come back

 

does it mean that the gateway only use inside port, not include outside port?

if so, this make sense

does it mean that the udp traffic can come back from another different outside port ,not from the original outside port which initial apple tv?

does it mean to use another different inside port to send udp traffic?

so that the path go out and go in are actually two different path?

so conclusion is that asa is not the device to block the traffic of apple tv?

what security reason to make it to deny any ip address ip protocol traffic to 192.168.1.254 ?

0 Helpful

ROHIT SHARMA
Level 1
Level 1
In response to martlee2

‎05-09-2015 10:02 AM

Hi,

Its very diffilcult to understand your problem here.

Is ASA the default gateway for your internal network?

Or there is a router connected to outside interface of ASA?

Can you define your network diagram here?

Also, it would be helpful if you paste ASA config here.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card