so in reverse path can we have an access list at host A end like..

access-list outside permit tcp any eq 80 any

so in reverse path can we have an access list at host A end like..

access-list outside permit tcp any eq 80 any

You can do that, but most firewalls do that automatically per traffic flow. If you are using a router, it might be easiest to do that. If you are using a PIX/ASA, that is all automatic. The reason you would want to avoiod doing that if possible is that it also allows external hosts to send inbound traffic to any port as long as they source it from port 80 (which is possible to do using special software). Furthermore, if you are doing PAT on the firewall (likely) then your traffic probably goes out as another source port altogether.

The automatic rules are more specific so in the example I listed in the above post, the firewall sees the request from a(6000) to b(80) and it temporarily allows traffic from b(80) to a(6000) to allow the return traffic.

- Eric

Hi Eric,

I cannot understand. If the firewall temporary allows traffic from b(80) to a(6000) to allow the return traffic, what if a actually chosen to use 6001, will the firewall drop the traffic?

i allow ica,https to a citrix server hosting a webpage both to & fro, i cannot get the traffic to go through.

Sorry if I wasn't clear. The firewall monitors the traffic (inspect), and if your traffic is sourced from 6001, it opens up traffic back to 6001. If you then send traffic sourced from 6002, it will also allow the traffic back to 6002.

-Eric

Please remember to rate all helpful posts.