tolinrome
asked on
ASA Firewall rules inbound\outbound
We have a cisco firewall and I'm looking at some documentation that says I need certain ports open for outbound (UDP protocol). So when I make the rule I noticed the source and destination are "any" and the action is "permit". The rule is created under the "Outside interface" and looking further at the rule I made (as well as all the others under this interface) it says "Traffic Direction in".
Why is the trafffic direction "in" if the dcoumentation says that the rule is outbound?
So I made a copy of that rule and just changed the new copy of it to "Traffic direction out" and I lost internet access, why?
Thanks!
Why is the trafffic direction "in" if the dcoumentation says that the rule is outbound?
So I made a copy of that rule and just changed the new copy of it to "Traffic direction out" and I lost internet access, why?
Thanks!
ASKER
Thanks, that explains the implicit deny, but I didnt see how it explains my question in the first paragraph, specifically "Why is the trafffic direction "in" if the dcoumentation says that the rule is outbound?"
You already have an allow lan > wan rule, you are allowing the udp return traffic inbound on the outside interface.
This is common with voip/sip.
Can you link me the document you are referring to ?
This is common with voip/sip.
Can you link me the document you are referring to ?
ASKER
ok, so if the rule under the outside interface says Traffic Direction In, that means that udp is allowed in from the outside. But the documentation is making it seem as if it needs to be outbound.
Also, where is the lan>wan rule defined saying trafficisallowed outside from the lan?
port.PNG
Also, where is the lan>wan rule defined saying trafficisallowed outside from the lan?
port.PNG
The documentation is assuming you deny all outbound and only allow explicitly allowed traffic.
This is for a verizon wireless extender correct ?
This is for a verizon wireless extender correct ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yes, vzw extender (piece of junk).
I created 3 rules on the outside interface udp 500, udp 4500, udp 52428. I saw some hits on udp 500 but not the others. I think we just cant get a signal from the gps, were in a bad spot.
So just to be clear the rules on the outside interface are traffic allowed in. Is that traffic also automatically allowed out?
On the inside interface I have 2 incoming rules:
any - any ip deny
any - any less secure network ip deny.
??
I created 3 rules on the outside interface udp 500, udp 4500, udp 52428. I saw some hits on udp 500 but not the others. I think we just cant get a signal from the gps, were in a bad spot.
So just to be clear the rules on the outside interface are traffic allowed in. Is that traffic also automatically allowed out?
On the inside interface I have 2 incoming rules:
any - any ip deny
any - any less secure network ip deny.
??
By default, there is an implicit deny all clause at the end of every ACL. Anything that is not explicitly permitted is denied.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml