Solved: ASA 5525 ACL traffic behavior...

jmaxwellUSAF · ‎01-18-2023

Hello.

I am unclear on ASA 5525 ACL traffic behavior...

If an ACL is implemented on an interface in one direction, are packets within this session that have been permitted by that ACL automatically allowed back in from the other side during that same session?

In other words-- Is it true that ASA ACLs are inherently bi-directional if the initiator of the communication was permitted through the firewall?

Thank you.

Rob Ingram · ‎01-18-2023

@jmaxwellUSAF yes, the ASA is a stateful firewall, so return traffic is permitted automatically.

View solution in original post

MHM Cisco World · ‎01-18-2023

If an ACL is implemented on an interface in one direction, are packets within this session that have been permitted by that ACL automatically allowed back in from the other side during that same session? Yes

the traffic initiate from one interface, it check by ACL apply IN to that interface, and then the traffic will build Conn in ASA,
this Conn will use for return back traffic.

View solution in original post

Rob Ingram · ‎01-18-2023

@jmaxwellUSAF yes, the ASA is a stateful firewall, so return traffic is permitted automatically.

MHM Cisco World · ‎01-18-2023

If an ACL is implemented on an interface in one direction, are packets within this session that have been permitted by that ACL automatically allowed back in from the other side during that same session? Yes

the traffic initiate from one interface, it check by ACL apply IN to that interface, and then the traffic will build Conn in ASA,
this Conn will use for return back traffic.