ASA Basic question

Hi;

 

I'm completely new to ASA and working on a very simple topology where I have asa with 3 ports named Internal, Outside and DMZ. each interface is connected to a router. I have configured a static nat under a Network object, so there is static entry on XLate table. my test includes seting up telnet connection between a client on internal network and a router that resides outside. don't I need to create an ACL for returning Telnet traffic on ASA (because client is inside security level 100 and destination for Telnet resides inside security level 0 network). I did created this ACL but I got no hits against it and finally I disabled it. even after disabling that ACL, I managed to issue telnet between them. it is good to mention that the NAT worked well too. so why I don't need any ACL for returning Telnet traffic considering security levels? tnx. 

 

Comments

  • You don't need ACL for return traffic because you're going from a higher security-level to a lower security-level which is allowed by default and secondly, the firewall is stateful and will create a conn entry that will automatically allow the return traffic to flow through.




    Olushile 





    -----Original Message-----

    From: timaz <[email protected]>

    To: olushile <[email protected]>

    Sent: Wed, Apr 15, 2015 7:45 am

    Subject: [CCIE Sec] ASA Basic question











    Hi;


     


    I'm completely new to ASA and working on a very simple topology where I have asa with 3 ports named Internal, Outside and DMZ. each interface is connected to a router. I have configured a static nat under a Network object, so there is static entry on XLate table. my test includes seting up telnet connection between a client on internal network and a router that resides outside. don't I need to create an ACL for returning Telnet traffic on ASA (because client is inside security level 100 and destination for Telnet resides inside security level 0 network). I did created this ACL but I got no hits against it and finally I disabled it. even after disabling that ACL, I managed to issue telnet between them. it is good to mention that the NAT worked well too. so why I don't need any ACL for returning Telnet traffic considering security levels? tnx. 


     












    INE - The Industry Leader in CCIE Preparation


    http://www.INE.com





    Subscription information may be found at:


    http://www.ieoc.com/forums/ForumSubscriptions.aspx










Sign In or Register to comment.