02-16-2010 11:19 AM - edited 03-11-2019 10:10 AM
Hi!
I need your help to understand something about the stateful inspection.
Say we have a source X (initiator) that wants to access a destination Y that is in the "inside" network of the ASA. The source X is accessing Y across a tunnel.
We have an Crypto ACL allowing this traffic (mandatory to establish tunnel). On the "inside" interface we have an ACL applied but do not have a line allowing Y to reach X.
Since X is the iniator and ASA is configured to allow X->Y, based on the session table will the return traffic be allowed though the inside ACL doesn't allow?
If yes this logic should be applied for normal traffic as well?
02-16-2010 12:03 PM
sridharlatcw wrote:
Hi!
I need your help to understand something about the stateful inspection.
Say we have a source X (initiator) that wants to access a destination Y that is in the "inside" network of the ASA. The source X is accessing Y across a tunnel.
We have an Crypto ACL allowing this traffic (mandatory to establish tunnel). On the "inside" interface we have an ACL applied but do not have a line allowing Y to reach X.
Since X is the iniator and ASA is configured to allow X->Y, based on the session table will the return traffic be allowed though the inside ACL doesn't allow?
If yes this logic should be applied for normal traffic as well?
As long as the inside acl is applied inbound to the interface then yes return traffic from Y -> X will be allowed because of the stateful nature of the firewall. There are a few exceptions that ie. non-stateful traffic such as GRE etc. would need to be allowed on the inside acl because the firewall doesn't keep state for this protocol. ICMP used to be the same but the ASA now supports ICMP inspection.
And yes this logic applies to normal traffic as well.
Jon
02-17-2010 08:36 AM
Oh.. ok that was something I was not aware of. I thought the return traffic would be denied because the ACL (applied inbound on the inside interface) is not allowing it. Anyways... Jon thank you for the explanation, I appreciate that.
-Sridhar L
02-17-2010 08:39 AM
sridharlatcw wrote:
Oh.. ok that was something I was not aware of. I thought the return traffic would be denied because the ACL (applied inbound on the inside interface) is not allowing it. Anyways... Jon thank you for the explanation, I appreciate that.
-Sridhar L
Sridhar
No problem. glad to have helped.
If you were talking about normal acls on router then yes it would be blocked but because it is a stateful firewall once the connection has been allowed in either direction the return trafffic will be allowed without checking acls.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide