IOS Zone Based firewall and statefulness

DANMOH009DANMOH009 Member Posts: 241
in CCNA Security
Hey all,

Im just trying to nail down my concept on this stuff and im getting a bit confused on undirectional traffic, zone pairs and the stateful aspect of firewalls. Now i know what they all are so that's fine.

But my question is
Lets say i create an inside zone and an outside zone. I create unidirectional policies so that traffic can be initiated from both ends ( i know its not safe but its just an example). So policies in place:
Inside>Outside
Outside>Inside
When traffic leaves the inside zone destined for the outside zone, how does it know if it should keep a record in the stateful database and use that for return traffic or use the return policy instead??

I think i just answered my question while im typing this, but would be grateful if someone can back it up.

Is it because the ZBF knows there is only one policy in place so it knows to keep a record?

Any help would be great.

Thanks

Dan
· Share on FacebookShare on Twitter

Comments

  • DANMOH009DANMOH009 Member Posts: 241
    DANMOH009 wrote: »

    I think i just answered my question while im typing this, but would be grateful if someone can back it up.

    Is it because the ZBF knows there is only one policy in place so it knows to keep a record?


    I have since found out that you need a inspect element in the policy map to achieve this.
    · Share on FacebookShare on Twitter
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    ^ Which I believe the ASA does by default for communication going from trusted > untrusted
    · Share on FacebookShare on Twitter
Sign In or Register to comment.