cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

369
Views
0
Helpful
2
Replies
Highlighted
Beginner

ASA Inspection for inbound traffic (out>in) with Static NAT

Hi,

 

I have question regarding Global Packet Inspection on a Cisco ASA.

So, since by default all traffic from higher security Interface is allowed towards a lower security interface but NOT the other way around, traffic is inspected in>out to create a stateful entry to dynamically allow inbound traffic out>in.

Now in case of Static 1 to 1 NAT. i.e.

nat (inside,outside) source static 10.1.1.1 133.133.133.133

access-list Outside_Access_In ext permit ip any host 10.1.1.1

Since there is an ACL on the outside interface that is explicitly allowing any outside host inbound towards the inside host, once that ACE is matched, will the packet be inspected inbound aswell? or will it skip inspection as the traffic is already allowed inbound via the ACL.

To recap the question is, whether inspection is performed for inbound traffic (out>in) if it is already allowed in an inbound ACL.

 

Kind regards

 

 

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: ASA Inspection for inbound traffic (out>in) with Static NAT

Hi Jay actually the incoming traffic from outside to inside network matching the outside_in acl will also be inspected. since its applied globally. you could also double check this performing packet-tracer from any address from the outside interface.

 

regards, 

View solution in original post

2 REPLIES 2
Highlighted
Beginner

Re: ASA Inspection for inbound traffic (out>in) with Static NAT

Hi Jay actually the incoming traffic from outside to inside network matching the outside_in acl will also be inspected. since its applied globally. you could also double check this performing packet-tracer from any address from the outside interface.

 

regards, 

View solution in original post

Highlighted
Beginner

Re: ASA Inspection for inbound traffic (out>in) with Static NAT

Thanks @lwilfredoflor that was helpful.