Solved: Re: ASA Inspection for inbound traffic (out>in) with Static NAT

Jay47110 · ‎11-21-2019

Hi,

I have question regarding Global Packet Inspection on a Cisco ASA.

So, since by default all traffic from higher security Interface is allowed towards a lower security interface but NOT the other way around, traffic is inspected in>out to create a stateful entry to dynamically allow inbound traffic out>in.

Now in case of Static 1 to 1 NAT. i.e.

nat (inside,outside) source static 10.1.1.1 133.133.133.133

access-list Outside_Access_In ext permit ip any host 10.1.1.1

Since there is an ACL on the outside interface that is explicitly allowing any outside host inbound towards the inside host, once that ACE is matched, will the packet be inspected inbound aswell? or will it skip inspection as the traffic is already allowed inbound via the ACL.

To recap the question is, whether inspection is performed for inbound traffic (out>in) if it is already allowed in an inbound ACL.

Kind regards

lwilfredoflor · ‎11-21-2019

Hi Jay actually the incoming traffic from outside to inside network matching the outside_in acl will also be inspected. since its applied globally. you could also double check this performing packet-tracer from any address from the outside interface.

regards,

View solution in original post

lwilfredoflor · ‎11-21-2019

Hi Jay actually the incoming traffic from outside to inside network matching the outside_in acl will also be inspected. since its applied globally. you could also double check this performing packet-tracer from any address from the outside interface.

regards,

Jay47110 · ‎11-22-2019

Thanks @lwilfredoflor that was helpful.