11-03-2014 12:25 PM - edited 03-11-2019 10:01 PM
So I have a Cisco 6509 with an outbound ACL on an interface that faces a Cisco ASA 5580 firewall. I have converted this Switch ACL into the format that the ASA will recognize and applied it in the inbound direction of the ASA facing the 6509. The only change I made on the ASA was to put a permit ip any log at the end because I wanted to make sure I'm not missing anything before completely removing the switch ACL. The switch ACL has a permit tcp any any established a the beginning and a deny ip any any at the end. There are a bunch of specific rules in between. With that said, I also omitted the permit tcp any any established because that is already implied on a firewall and there's no way to configure it any way.
Flow of Traffic seems to work fine in this direction, no ACL's in this direction:
[Source of traffic] ----------> ASA5580 -------> 6509 -------> [Destination traffic]
Unexpected return traffic get's caught by the last resort permit any any at the end of the firewall ACL:
[Source of traffic] <---------- ASA5580 (ACL)<------- (ACL)6509 <------- [Destination traffic]
So after observing for a bit, I noticed that I'm actually matching on the permit any at the bottom of the ASA. This is leading me to believe that the permit tcp any any established on the switch ACL is letting some traffic through but why is the ASA not automatically realizing that this is a stateful connection?
As a workaround, I've been adding general blanket statements above the permit any that I'm not too fond of.
So my question is how could I be matching on the permit any any statement on the ASA? I would expect to see nothing matched especially with the deny any at the bottom of the 6509 ACL facing the firewall.
Thanks in advance for any help :)
Pete
Solved! Go to Solution.
11-04-2014 07:27 AM
Hi,
Are you seeing the return traffic being allowed by the Permit ANY ANY statement ? If yes , does it have a LOG keyword. If yes , then this is expected and you can ignore the logs as once the traffic is created after checking all the configured policies on the ASA devices , the return traffic will never be matched against the ACL on the interface.
Check this:-
https://tools.cisco.com/bugsearch/bug/CSCso55505/?reffering_site=dumpcr
Thanks and Regards,
Vibhor Amrodia
11-04-2014 07:27 AM
Hi,
Are you seeing the return traffic being allowed by the Permit ANY ANY statement ? If yes , does it have a LOG keyword. If yes , then this is expected and you can ignore the logs as once the traffic is created after checking all the configured policies on the ASA devices , the return traffic will never be matched against the ACL on the interface.
Check this:-
https://tools.cisco.com/bugsearch/bug/CSCso55505/?reffering_site=dumpcr
Thanks and Regards,
Vibhor Amrodia
11-04-2014 10:25 AM
Thanks a lot of the answer!
Ok so I have attached the last few lines in my firewall ACL. All those permits statements were put there because I saw they were logged in the permit ip any any log at the bottom. If I'm understanding you correctly, I don't need any of these permit statements? It looks like the firewall is not being statefull. I don't want the ACK's to be blocked...
11-10-2014 11:50 AM
I also opened up a TAC case on this issue and we came to the conclusion that the response given by Vibhor Amrodia is correct! Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide