05-26-2011 03:19 AM - edited 03-11-2019 01:38 PM
Hi People,
I have on the inside an ACE that looks like this:
permit A.A.A.A any eq http
On the outside
permit ip any any log
if I do right click show log and get to the real time log viewer I see hits for traffic
Internet IP port 80 to A.A.A.A (random port)
Since there is dynamic nat for A.A.A.A the only logical explanation is that this is return traffic.
My question is why do I have hits on the outside ACE?
05-26-2011 04:25 AM
Hi,
THe return traffic should never hit the outside ACL that you have, it would only hit if the connection was established from that interface. To verify the findings i would suggest you to take captures and logs simaltaneouly.
Take captures on the inside and outside interface, along with that take the debug level logs as well. In the logs you can match the traffic by checking the connection number as well, this would verify if the log generated is for the same connection, by matching the number.
Moreover wat u r saying is the ip any any acl is getting hit, that means if you put a deny ACL on outside then the return traffic should hit that as well??
You can try this as well verify your findings.
Hope this helps.
Thanks,
Varun
05-26-2011 05:31 AM
Hi,
thanks for your reply.
Personally I think it's a bug, because this doesn't happen on all connections and in addition I have another firewall (another brand) in front of asa,
and from the outside to the inside I don't have any matches on this firewall. (as I should)
I changed the ace to ip ip deny log and I do have the hits counter increasing, although nothing appears on show log of real-time log viewer.
I haven't seen any disruptions to my web browsing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide