Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
15
Helpful
3
Replies

Statefull Firewall

Go to solution
henockk
Level 1
Level 1

‎07-26-2022 06:46 AM

Dear all   I am new to Firewall Technologies and I want to ask Regardless of statefull Firewall feature. A statefull firewall maintains the tcp state and knows a user session so why do we need to allow a user to allow in both direction incoming and outgoing for same traffic if the state is already known when the user requests the session is known and the firewall knows for the returning also 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎07-26-2022 06:53 AM - edited ‎07-26-2022 10:02 AM

@henockk with a stateful firewall, permitting inside to outside traffic is sufficient to allow traffic initiated from the inside network to outside. The firewall would permit the return traffic.

By default traffic from outside to inside is usually denied, unless explictly permitted. You'd only permit traffic from outside to inside if the traffic is initiated on the outside. On a perimeter firewall this is used when accessing a website in the DMZ or when bi-directional traffic is required in a WAN scenario.

View solution in original post

3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎07-26-2022 06:50 AM

IN-FW-OUT
TCP initiate from OUT to server in IN 
mandatory you need here ACL in OUT 

TCP initiate from IN to server in OUT

optional to make IN only can access Server in OUT other traffic will deny

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎07-26-2022 06:53 AM - edited ‎07-26-2022 10:02 AM

@henockk with a stateful firewall, permitting inside to outside traffic is sufficient to allow traffic initiated from the inside network to outside. The firewall would permit the return traffic.

By default traffic from outside to inside is usually denied, unless explictly permitted. You'd only permit traffic from outside to inside if the traffic is initiated on the outside. On a perimeter firewall this is used when accessing a website in the DMZ or when bi-directional traffic is required in a WAN scenario.

Go to solution
Marius Gunnerud
VIP
VIP

‎07-26-2022 12:59 PM

What are you asking?  Do you mean if a user is already allowed from inside to outside, then if the user moves to the outside network that user should already be allowed access from the outside to inside?

The issue here is where the user traffic is generated from.  When the traffic is generated from the inside network usually there is an access-list statement, or in some cases a security level, that permits the user access to the outside network.  In this case the connection is entered into the state table and return traffic will be allowed.

If that user was to move to the outside network and initiates a connection towards the inside the traffic will be denied by default as the user has now initiated a new connection which there is no access-list for.  So, in short, what gets added to the state table depends on where the traffic is being initiated from and if there are access rules that allow the connection (and possibly NAT statements)

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card