Solved: Re: Basic ASA ACL Question

newtwork1 · ‎03-05-2011

I understand that all traffic from the inside int to the outside int is allowed by default (if the security level of the inside interface is higher than the outside interface). Does that rule apply bi-directionally or do I need to create a rule that will allow all return traffic originating from the inside interface to the outside back IN through an ACE applied to the ouside interface?

Newt.

Jennifer Halim · ‎03-05-2011

The return traffic for traffic originated from inside towards outside is allowed automatically, ie: you do not need to configure ACL to allow the return traffic on the outside interface. ASA keeps tracks of all the connections hence only the first connection needs to be allowed with an ACL if you have applied an ACL on the interface.

Hope that helps.

View solution in original post

Jennifer Halim · ‎03-05-2011

The return traffic for traffic originated from inside towards outside is allowed automatically, ie: you do not need to configure ACL to allow the return traffic on the outside interface. ASA keeps tracks of all the connections hence only the first connection needs to be allowed with an ACL if you have applied an ACL on the interface.

Hope that helps.

newtwork1 · ‎03-08-2011

Jen,

Thanks for the response. Could you clarify what you mean by "only the first connection needs to be allowed with an ACL if you have applied an ACL on the interface."?

My assumption is you are refering to traffic moving from the outside interface in.

So if an acl is applied to the outside interface permitting traffic to an inside interface the acl will allow the connection, then all subsequent packets matching the rule will be cef switched?

Newt