Hi All,
I have separate bidirectional rules in my firewall (ASA 5545-X) for different applications (including VoIP). What is puzzling here is if i capture logs for the traffic coming from OUTSIDE (of firewall) back into the segmented environment i am seeing entries that should have been logged under inside interfaces initiating those connections. Reason why i am saying that: i am seeing a lower end source port session logged under the OUTSIDE interface with a higher end DP. Examples:
SA: 10.100.11.20, SP: TCP(88) , DA=10.47.10.42, DP(50014 to 65408)
SA: 10.100.11.20, SP: UDP(53) , DA=10.47.10.37, DP(58146)
Is the firewall closing the session so it gets logged under a new session under OUTSIDE. Is there a timer issue here i need to check where it waits for a response and if it doesnt see it under a specific amount of time it will log it against the OUTSIDE rather than associating it to a session built from Inside (10.47.x.x)