Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
951
Views
0
Helpful
3
Replies

ASA Traffic Flows

andrewburridge
Level 1
Level 1

‎09-14-2011 06:21 AM - edited ‎03-11-2019 02:24 PM

Hey all, hopefully this should be a nice easy one!

I remember being told a while back that ASA devices don't handle traffic very well that goes outbound out of an interface, and then comes back inbound on the same interface.  For example:

- traffic leaves an internal LAN bound for it internet

- hits the ASA on an internal interface

- leaves the ASA external interface on a PAT address (public IP)

- hits same ASA external interface on a public IP that NATs through to an internal LAN address

- NATs through to internal LAN

Could anyone confirm that this is the case and if this behaviour has a particular name?  Like I say, I remember being told that this wouldn't work (I couldn't VPN to our external address from inside our network for example), but I'd like to read up a bit more about it.

Thanks!

Labels:
0 Helpful
3 Replies 3

varrao
Level 10
Level 10

‎09-14-2011 06:29 AM

Hi Andrew,

The flow below is correct as you have stated, but I am not really sure about your question?? Are you doubtful taht the firewall woudl drop the return traffic, because tahts not the case. Firewall is a ststeful device, which means it maintains the state table of the connections and carries out inspection and knows that the return packet is a part of the connection already established.

Let me know what you exact query is.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

andrewburridge
Level 1
Level 1
In response to varrao

‎09-14-2011 08:06 AM

Hi Varun,

Thanks for your reply. I guess the key to my question is I've always thought that such a traffic flow wouldn't actually work.  It doesn't work in our environment at least, and I was always told that this was just due to the inherent nature by which the ASA handles traffic.

Thanks.

0 Helpful

varrao
Level 10
Level 10
In response to andrewburridge

‎09-14-2011 08:25 AM

Hi Andrew,

If you are trying to access the internet from your internal lan, then:

Request would come to ASA inside interface

NAT statement would be checked and it would PAT to your external public ip.

The return traffic would hit external ip on ASA

ASA would see that this is the reply packet to your connection request.

It would un-nat the external ip to internal lan ip and send it to your lan machine

This is how ASA would work, so yes this would work on ASA if thats your question.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card