• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2763
  • Last Modified:

ASA Firewall rules inbound\outbound

We have a cisco firewall and I'm looking at some documentation that says I need certain ports open for outbound (UDP protocol). So when I make the rule I noticed the source and destination are "any" and the action is "permit". The rule is created under the "Outside interface" and looking further at the rule I made (as well as all the others under this interface) it says "Traffic Direction in".
Why is the trafffic direction "in" if the dcoumentation says that the rule is outbound?

So I made a copy of that rule and just changed the new copy of it to "Traffic direction out" and I lost internet access, why?

Thanks!
0
tolinrome
Asked:
tolinrome
  • 4
  • 3
1 Solution
 
djcanterCommented:
Implicit deny.
By default, there is an implicit deny all clause at the end of every ACL. Anything that is not explicitly permitted is denied.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
0
 
tolinromeAuthor Commented:
Thanks, that explains the implicit deny, but I didnt see how it explains my question in the first paragraph, specifically "Why is the trafffic direction "in" if the dcoumentation says that the rule is outbound?"
0
 
djcanterCommented:
You already have an allow lan > wan rule, you are allowing the udp return traffic inbound on the outside interface.

This is common with voip/sip.

Can you link me the document you are referring to ?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
tolinromeAuthor Commented:
ok, so if the rule under the outside interface says Traffic Direction In, that means that udp is allowed in from the outside. But the documentation is making it seem as if it needs to be outbound.
Also, where is the lan>wan rule defined saying trafficisallowed outside from the lan?
port.PNG
0
 
djcanterCommented:
The documentation is assuming you deny all outbound and only allow explicitly allowed traffic.

This is for a verizon wireless extender correct ?
0
 
djcanterCommented:
Your ASA will also try to terminate the port 500, 4500 traffic on its own interface if you other vpns enabled.
0
 
tolinromeAuthor Commented:
yes, vzw extender (piece of junk).

I created 3 rules on the outside interface udp 500, udp 4500, udp 52428. I saw some hits on udp 500 but not the others. I think we just cant get a signal from the gps, were in a bad spot.

So just to be clear the rules on the outside interface are traffic allowed in. Is that traffic also automatically allowed out?
On the inside interface I have 2 incoming rules:
any - any ip deny
any - any less secure network ip deny.
??
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now