ASA firewalls: how does stateful filtering affect my access lists?
Posted
by
Nate
on Server Fault
See other posts from Server Fault
or by Nate
Published on 2011-03-09T02:14:29Z
Indexed on
2011/03/09
8:11 UTC
Read the original article
Hit count: 277
Ok, so assume that I have an ingress access list that looks like this:
access-list outside_in extended ip permit any X.Y.Z.1 eq 25
access-group outside_in in interface outside
And I want to do egress filtering. I want to allow inside machines to respond on port 80, and I want to allow ports over 1024. Given that the firewall is statefull, do I need to have the rule
access-list inside_in extended ip permit X.Y.Z.1 any eq 25
in my inside_in ACL, or can I get away with just
access-list inside_in extended ip permit any any gt 1024
access-group inside_in in interface inside
In other words, if I apply an egress access list, do I have to explicitly allow machines to respond to requests allowed by the ingress access list, or does the statefullness of the firewall handle that for me?
Thanks!
© Server Fault or respective owner