ASA Any rule to lesser networks

A UDP rule was created on Inbound. Any to Any was disabled. Outbound internet did not work after (previously fine).

UDP rule was deleted and majically (I think) Any to any lesser network rule appeared. Any to Any disabled remains underneath.

what happens if Any to Any lesser network rule is deleted? Will outbound internet stop?

Find more posts tagged with

Comments

viper75

UnNinja wrote: »

A UDP rule was created on Inbound. Any to Any was disabled. Outbound internet did not work after (previously fine).

UDP rule was deleted and majically (I think) Any to any lesser network rule appeared. Any to Any disabled remains underneath.

what happens if Any to Any lesser network rule is deleted? Will outbound internet stop?

By the default the ASA will let traffic outbound from the inside network unless you have specific ACLs in place that suggest otherwise.

Traffic from the outside inbound is all denied by default, unless you have specific ACLs that allow traffic to enter the ASA from the outside.

dtlokee

When a packet is passed through the ASA an entry in the connection table is created that contains information about the connection like source and destination IP address, protocol, ports, and possibly session information if the ASA has a way of inspecting the protocol such as HTTP and FTP. This entry in the connection table allows the return traffic back from the "outside" interface to the "inside" interface that matches the existing connection entry. The entries in the connection table will be removed for a few different reasons, things like TCP packets with a reset or fin flag set, syn timeouts, or in the case of UDP an elapsed amount of time since the last packet with the same source/destination IP address and ports.

As far as how the traffic is allowed to pass through the ASA, packets from a higher security level to a lower securtiy level are permitted to pass by default. You can add an inbound access list to allow traffic to pass from a lower security level to a higher security level interface. If you add an inbound access list to an interface with a higher security level then it basically takes the place of the default rule that allows traffic from higher to lower and will require that ACL to permit any traffic you want to pass through the ASA.