Options
IOS Zone Based firewall and statefulness
DANMOH009
Member Posts: 241
Hey all,
Im just trying to nail down my concept on this stuff and im getting a bit confused on undirectional traffic, zone pairs and the stateful aspect of firewalls. Now i know what they all are so that's fine.
But my question is
Lets say i create an inside zone and an outside zone. I create unidirectional policies so that traffic can be initiated from both ends ( i know its not safe but its just an example). So policies in place:
Inside>Outside
Outside>Inside
When traffic leaves the inside zone destined for the outside zone, how does it know if it should keep a record in the stateful database and use that for return traffic or use the return policy instead??
I think i just answered my question while im typing this, but would be grateful if someone can back it up.
Is it because the ZBF knows there is only one policy in place so it knows to keep a record?
Any help would be great.
Thanks
Dan
Im just trying to nail down my concept on this stuff and im getting a bit confused on undirectional traffic, zone pairs and the stateful aspect of firewalls. Now i know what they all are so that's fine.
But my question is
Lets say i create an inside zone and an outside zone. I create unidirectional policies so that traffic can be initiated from both ends ( i know its not safe but its just an example). So policies in place:
Inside>Outside
Outside>Inside
When traffic leaves the inside zone destined for the outside zone, how does it know if it should keep a record in the stateful database and use that for return traffic or use the return policy instead??
I think i just answered my question while im typing this, but would be grateful if someone can back it up.
Is it because the ZBF knows there is only one policy in place so it knows to keep a record?
Any help would be great.
Thanks
Dan
Comments
-
OptionsDANMOH009
Member Posts: 241
I think i just answered my question while im typing this, but would be grateful if someone can back it up.
Is it because the ZBF knows there is only one policy in place so it knows to keep a record?
I have since found out that you need a inspect element in the policy map to achieve this. -
Options
YFZblu
Member Posts: 1,462 ■■■■■■■■□□
^ Which I believe the ASA does by default for communication going from trusted > untrusted