Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1223
Views
0
Helpful
1
Replies

What happens if i allow traffic on 1 interface, but deny that traffic on the responding interface?

Eric Snijders
Level 1
Level 1

‎08-27-2019 11:14 PM - edited ‎02-21-2020 09:26 AM

It might look like a weird question, but i actually have a experimental case for this one.
Pretty simple:

eQiXR43

1. Let's say i permit tcp/443 from anyone on the outside to PC01.

2. Now i want to block specific traffic on the way back, so on the Inside to a specific host.

 

Why? I'm investigating some weird return traffic. I just made this test setup in GNS3 and it seems that if i block tcp/443 on the Inside, it indeed blocks everything, so there will be no connection. 

 

Is there any way i can block specific traffic only if there is no valid connection on the ASA? Cause the traffic i'm investigating seems to be traffic AFTER the TCP connection was already closed, but somehow it's still hitting a permit rule.

0 Helpful
1 Reply 1

mkazam001
Level 3
Level 3

‎08-28-2019 08:44 AM

Hi Eric,

I would run the asa packet-capture on both interfaces to confirm your hypothesis. Also try sh conn | i x.x.x.x - the ip address.

The connection from the outside-in will cause the asa to create an entry in the state-table, so the return traffic from the lan-outside will bypass any acl on the interface, as the connection already exists.

Regards, mk

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card