Solved: Hi,The ASA checks the ACL

GRANT3779 · ‎09-30-2015

Hi All,

I have some static NATs configured with relevant ACL "Inbound" on the Outside Interface.

Simple Setup - I have inside and outside interface.

If someone from Outside initiates a connection to one of my servers on a Static NAT. Will the return traffic from the server be allowed back out If I have an ACL Inbound on the Inside Interface that potentially blocks the return traffic? Or is a state table checked first before the ACL to see if this is a known already established connections and then allow the traffic (ignoring my ACL on inside interface).

Thanks

Rishabh Seth · ‎09-30-2015

Hi,

The ASA checks the ACL while creating the session and return traffic matches existing session and gets processed.

Hence the execution will occur in following manner: Evaluate ACL on ingress interface in inward direction >> ACL on the egress interface in outward direction (if this is present).

Return traffic for the same session will match the session and will get processed accordingly.

Hope it helps!!!

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!

!!!

Thanks,

R.Seth

Don't forget to mark the answer as correct if it helps in resolving your query!!!

View solution in original post

Rishabh Seth · ‎09-30-2015

Hi,

The ASA checks the ACL while creating the session and return traffic matches existing session and gets processed.

Hence the execution will occur in following manner: Evaluate ACL on ingress interface in inward direction >> ACL on the egress interface in outward direction (if this is present).

Return traffic for the same session will match the session and will get processed accordingly.

Hope it helps!!!

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!

!!!

Thanks,

R.Seth

Don't forget to mark the answer as correct if it helps in resolving your query!!!

Static NAT / ACL