Solved: ASA: service resetinbound / resetoutbound

S.IIZUKA · ‎09-14-2022

Hello Experts

Could someone tell me the difference between service resetinbound and resetoutbound?

According to the command reference, resetinbound is for inbound traffic and resetoutbound is for outbound traffic.

Then what does inbound traffic and outbound traffic mean?

Is it a matter of Interface security level(what if they are same?) or when a packets to be denied (ie. incoming / outgoing) or somethng else?

Best regards,

tvotna · ‎09-20-2022

Inbound/outbound is determined by security level. It's unknown which of these two commands enables sending TCP RST if security level is the same. This feature is for new connections only (from firewall point of view, but not from senders/receivers point of view) and can be helpful during migrations, e.g. when user traffic is rerouted through a new firewall. As firewall conn table is empty, it will send TCP RST to senders forcing them establish new TCP connection to populate firewall conn table. Another example is traffic dropped by ACL. When TCP SYN comes, ACL is checked and TCP RST is sent.

Resetoutbound is enabled by default and resetinbound is disabled.

View solution in original post

balaji.bandi · ‎09-15-2022

There is good presentation explained here (hope that help you)

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKSEC-3020.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎09-15-2022

see below comment

S.IIZUKA · ‎09-16-2022

Thank you for the replies.

I understood it depends on interface secury level related to the flow.

Let me ask 2 more questions.

(1)What if security levels of ingress and egress interfaces are same? Is it inbound or outbound for ASA?

(2)How resetinbound and resetoutbound works if there is no existing conection?

No existing connection means no flow direction, so ASA cannot determine inbound or outbound.

I guess resetinbound is for when packets are denied by incoming ACL of ingress interface or stateful inspection, and resetoutbound is for when packets are denied by outgoing ACL of egress interface. Is it correct?

Best regards,

MHM Cisco World · ‎09-17-2022

see below comment

S.IIZUKA · ‎09-20-2022

> if the ASA see SYN from out to server IN then the traffic is Inbound
> if the ASA see SYN from IN to server OUT then the traffic is Outbound

Would you explain what IN and OUT means in this context? (Sorry my English is not quite good)
If it is not the security level, I still cannot understand how ASA determines Inbound or Outbound.

If a client(outside) sends SYN to a web server(inside), this is Inbound. (according to your first reply).
Then, what if a client(inside) sends SYN to a web server(outside)?
I just swapped inside and outside. It looks like Outbound and if so, Inbound or Outbound depends on a interface name???

tvotna · ‎09-20-2022

Inbound/outbound is determined by security level. It's unknown which of these two commands enables sending TCP RST if security level is the same. This feature is for new connections only (from firewall point of view, but not from senders/receivers point of view) and can be helpful during migrations, e.g. when user traffic is rerouted through a new firewall. As firewall conn table is empty, it will send TCP RST to senders forcing them establish new TCP connection to populate firewall conn table. Another example is traffic dropped by ACL. When TCP SYN comes, ACL is checked and TCP RST is sent.

Resetoutbound is enabled by default and resetinbound is disabled.

MHM Cisco World · ‎09-21-2022

see below comment

MHM Cisco World · ‎09-21-2022

see below comment

S.IIZUKA · ‎09-21-2022

I did a quick test on cisco dCloud.

Test configuration was Jumpbox(Windows7)---ASA---Router.
Sending packets between Jumbox and Router each other that would be denied by ACL and check if ASA generates the TCP RST.

1) inside(security level 100), outside(security level 0)
1-1)resetoutbound enabled(default)
Send a packet from Jumbox to Router: RST generated
Send a packet from Router to Jumbpx: RST was not generated

1-2)both resetoutbound AND resetinbound enabled
Send a packet from Jumbox to Router: RST generated
Send a packet from Router to Jumbpx: RST generated

1-3)resetinbound enabled
Send a packet from Jumbox to Router: RST was not generated
Send a packet from Router to Jumbpx: RST generated

With these results, resetinbound and resetoutbound (inbound traffic and outbound traffic) definitely are related to security level.

What if security levels are same? I tested.
Changing outside security level to 100,
RST was not generated when either resetinbound or resetoutbound is enabled.
RST was generated only when both resetinbound and resetoubound are enabled.

MHM Cisco World · ‎09-21-2022

@S.IIZUKA

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116149-qanda-ASA-00.pdf

another doc. @tvotna was totally right,
I was think before that ASA when see first SYN in interface it will class the traffic as INBOUND if it receive from OUT and as OUTBOUND if it receive from IN.
but here I stop, the ASA dont recognize interface nameif, it recognize the security level of interface.
so that clear my idea.
and for same-security since the level is same so both traffic is class as INBOUND as shown above.

MHM Cisco World · ‎09-21-2022

thank @S.IIZUKA thanks @tvotna
after check which make me also confuse about same security
I found this bug explain all issue and solution
https://bst.cisco.com/bugsearch/bug/CSCuj62017