Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1227
Views
0
Helpful
3
Replies

traffic allowed by default from higher to lower security zone in firewall

Go to solution
rocky2024
Level 1
Level 1

‎08-02-2018 04:38 AM - edited ‎02-21-2020 08:02 AM

Dear All,

 

In ASA, all traffic allowed by default from higher to lower zone i.e. inside to outside.

 

1) Do we need to allow return traffic on outside interface ? if yes then understanding will like this, traffic allowed by default from inside to outside but return traffic should be allowed on outside interface in inbound direction. correct?

 

2) Please clarify whether all type of traffic and all ports TCP/UDP allowed by default from inside to outside ? absolutely all traffic ??? or certain ports are not allowed by default from Inside to outside?

 

regards,

Sourabh

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-02-2018 04:57 AM

Hi,
The ASA is stateful and keeps a track of all outbound tcp/udp connections, so when you make a connection outbound it will automatically permit the return traffic.

An exception to this is icmp, it is not stateful like tcp/udp, so you either need to enable "inspect icmp" in the policy map or modify an ACL on the outside interface permitting the traffic.

HTH

View solution in original post

0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎08-02-2018 06:21 AM

in a nutshell, access lists are applied in an ingress direction, so, if you initiate, yes initiate ttraffic for instance on port 80 and hit your inside interface to go to cnn.com the the response from cnn does NOT have to be explicitly permitted.

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎08-02-2018 04:57 AM

Hi,
The ASA is stateful and keeps a track of all outbound tcp/udp connections, so when you make a connection outbound it will automatically permit the return traffic.

An exception to this is icmp, it is not stateful like tcp/udp, so you either need to enable "inspect icmp" in the policy map or modify an ACL on the outside interface permitting the traffic.

HTH
0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎08-02-2018 06:21 AM

in a nutshell, access lists are applied in an ingress direction, so, if you initiate, yes initiate ttraffic for instance on port 80 and hit your inside interface to go to cnn.com the the response from cnn does NOT have to be explicitly permitted.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
rocky2024
Level 1
Level 1
In response to Dennis Mink

‎08-02-2018 11:20 AM

thank you very much
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card