I have acl that implemented

elnurh · ‎06-30-2015

Hi all expert here. I have some issue with deny traffic from low interface back. I have server behind interface with sec level 0 and have access list that permit only certain traffic from that host via 8080 to another client host. any other traffic from this host to any was denied.

But all client from interface with high level security than this without access list have permit to this host to any ports for connections.

How can I resolve this issue without implement access list in high level interface.

thanks all before

Vibhor Amrodia · ‎07-01-2015

Hi,

As per your requirement , if you want the traffic to be blocked from the hosts from Higher Security Level to Lower , you would have to use ACL as that would be the only option.

The only other option would be to reduce the Security level on the other interface.

Thanks and Regards,

Vibhor Amrodia

elnurh · ‎07-02-2015

I have acl that implemented on low level interface but this acl not working.

I want to understand why without acl in high level interface I can't block return traffic via acl in low level interface ????????????????

Jon Marshall · ‎07-02-2015

You can't block it because the ASA is a stateful firewall.

What this means is that if traffic is allowed in one direction then the return traffic is allowed without checking acls because there is an entry in the state table.

The acl in your example is only checked when the traffic is initiated from the server ie. there is no entry in the state table.

Jon

cannot block traffic in ASA