ASA firewalls: how does stateful filtering affect my access lists?

Posted by Nate on Server Fault See other posts from Server Fault or by Nate
Published on 2011-03-09T02:14:29Z Indexed on 2011/03/09 8:11 UTC
Read the original article Hit count: 277

Filed under:
|
|

Ok, so assume that I have an ingress access list that looks like this:

access-list outside_in extended ip permit any X.Y.Z.1 eq 25
access-group outside_in in interface outside

And I want to do egress filtering. I want to allow inside machines to respond on port 80, and I want to allow ports over 1024. Given that the firewall is statefull, do I need to have the rule

access-list inside_in extended ip permit X.Y.Z.1 any eq 25

in my inside_in ACL, or can I get away with just

access-list inside_in extended ip permit any any gt 1024
access-group inside_in in interface inside

In other words, if I apply an egress access list, do I have to explicitly allow machines to respond to requests allowed by the ingress access list, or does the statefullness of the firewall handle that for me?

Thanks!

© Server Fault or respective owner

Related posts about firewall

Related posts about asa