Thanks to everyone for taking the time to answer my question! Cheers, Christopher
-----Original Message----- From: Brad McGinn [mailto:bmcg...@thiess.com.au] Sent: Freitag, 10. Oktober 2014 02:49 To: Christopher Werny; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Cisco ASA return traffic with explicit deny on outside interface Return traffic will be permitted. Any traffic originating on a network connected to a higher security interface will not need an ACL to ingress. When the traffic egresses to a lower security interface it will automatically be let back in. Any traffic originating on a network connected to a lower security interface will need an ACL to allow ingress. When the traffic egresses to a higher security interface it will also be let back in. That's how I remember it anyway.. :-) Point 3. In the below link seems to back me up. http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html -----Original Message----- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Christopher Werny Sent: Friday, 10 October 2014 5:43 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco ASA return traffic with explicit deny on outside interface Good Evening, I know that might seem a simple and easy question, but I wasn't able to find an exact answer (but maybe my google-fu has just failed me or my brain just needs some sleep). I have an ASA running 8.4 in a pretty simple setup with 2 interfaces (inside/outside). I have to 2 ACLs where one is applied inbound on the inside, and one ACL applied inbound on the outside interface. The outside ACL has an explicit deny ip any any statement for logging purposes. I am wondering, does return traffic (for connections originated on the inside network) get through the ASA with the explicit deny ip any any statement in the outside ACL? I know it works without an ACL applied to the outside interface, but the explicit deny got me thinking. I haven't a device with me to test it unfortunately Thanks for your time. Best, Christopher _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _____________________________________________________________________ IMPORTANT - This email and any attachments may be confidential and privileged. If received in error, please contact Thiess and delete all copies. You may not rely on advice and documents received by email unless confirmed by a signed Thiess letter. This restriction on reliance will not apply to the extent that the above email communication is between parties to a contract and is authorised under that contract. Before opening or using attachments, check them for viruses and defects. Thiess' liability is limited to resupplying any affected attachments. THIESS PRIVACY STATEMENT<http://www.thiess.com.au/privacy> _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
