Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1290
Views
10
Helpful
2
Replies

FMC: Does packet state impact Access Control Policy processing?

Go to solution
00u1arh1c7Nbc5p2z5d7
Level 1
Level 1

‎07-21-2021 09:32 AM

For our first rule in our Access Control Policy, we've got a geolocation block on incoming traffic from country X. There is no corresponding rule for outgoiong traffic to country X, however.

 

So, as I understand it, anyone in country X trying to initiate a new connection to us would have the packet dropped. However, someone trying to initiate a connection to country X from inside our network would be allowed through the firewall.

 

What I'm not clear on is, in the latter case, would the response packet from country X, which would hit the firewall with state "ESTABLISHED" rather than "NEW," still get blocked by the geolocation rule?

1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-21-2021 09:49 AM

Since FW is statefull if the connection intiated from inside and allowed, the that should be ok.

 

if the intiation from outside should be blocked, your understanding correct ?

 

Do you see any issue, or is that just clarfication ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

2 Replies 2

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-21-2021 09:49 AM

Since FW is statefull if the connection intiated from inside and allowed, the that should be ok.

 

if the intiation from outside should be blocked, your understanding correct ?

 

Do you see any issue, or is that just clarfication ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
00u1arh1c7Nbc5p2z5d7
Level 1
Level 1
In response to balaji.bandi

‎07-21-2021 10:54 AM

Thanks, Balaji. I was just looking for clarification.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card