Link to home
Start Free TrialLog in
Avatar of tolinrome
tolinromeFlag for United States of America

asked on

ASA Firewall rules inbound\outbound

We have a cisco firewall and I'm looking at some documentation that says I need certain ports open for outbound (UDP protocol). So when I make the rule I noticed the source and destination are "any" and the action is "permit". The rule is created under the "Outside interface" and looking further at the rule I made (as well as all the others under this interface) it says "Traffic Direction in".
Why is the trafffic direction "in" if the dcoumentation says that the rule is outbound?

So I made a copy of that rule and just changed the new copy of it to "Traffic direction out" and I lost internet access, why?

Thanks!
Avatar of djcanter
djcanter
Flag of United States of America image

Implicit deny.
By default, there is an implicit deny all clause at the end of every ACL. Anything that is not explicitly permitted is denied.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
Avatar of tolinrome

ASKER

Thanks, that explains the implicit deny, but I didnt see how it explains my question in the first paragraph, specifically "Why is the trafffic direction "in" if the dcoumentation says that the rule is outbound?"
You already have an allow lan > wan rule, you are allowing the udp return traffic inbound on the outside interface.

This is common with voip/sip.

Can you link me the document you are referring to ?
ok, so if the rule under the outside interface says Traffic Direction In, that means that udp is allowed in from the outside. But the documentation is making it seem as if it needs to be outbound.
Also, where is the lan>wan rule defined saying trafficisallowed outside from the lan?
port.PNG
The documentation is assuming you deny all outbound and only allow explicitly allowed traffic.

This is for a verizon wireless extender correct ?
ASKER CERTIFIED SOLUTION
Avatar of djcanter
djcanter
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
yes, vzw extender (piece of junk).

I created 3 rules on the outside interface udp 500, udp 4500, udp 52428. I saw some hits on udp 500 but not the others. I think we just cant get a signal from the gps, were in a bad spot.

So just to be clear the rules on the outside interface are traffic allowed in. Is that traffic also automatically allowed out?
On the inside interface I have 2 incoming rules:
any - any ip deny
any - any less secure network ip deny.
??