I see hits on retun traffic on asa 8.4(1)

g.eleftheriou · ‎05-26-2011

Hi People,

I have on the inside an ACE that looks like this:

permit A.A.A.A any eq http

On the outside

permit ip any any log

if I do right click show log and get to the real time log viewer I see hits for traffic

Internet IP port 80 to A.A.A.A (random port)

Since there is dynamic nat for A.A.A.A the only logical explanation is that this is return traffic.

My question is why do I have hits on the outside ACE?

varrao · ‎05-26-2011

Hi,

THe return traffic should never hit the outside ACL that you have, it would only hit if the connection was established from that interface. To verify the findings i would suggest you to take captures and logs simaltaneouly.

Take captures on the inside and outside interface, along with that take the debug level logs as well. In the logs you can match the traffic by checking the connection number as well, this would verify if the log generated is for the same connection, by matching the number.

Moreover wat u r saying is the ip any any acl is getting hit, that means if you put a deny ACL on outside then the return traffic should hit that as well??

You can try this as well verify your findings.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

g.eleftheriou · ‎05-26-2011

Hi,

thanks for your reply.

Personally I think it's a bug, because this doesn't happen on all connections and in addition I have another firewall (another brand) in front of asa,

and from the outside to the inside I don't have any matches on this firewall. (as I should)

I changed the ace to ip ip deny log and I do have the hits counter increasing, although nothing appears on show log of real-time log viewer.

I haven't seen any disruptions to my web browsing.