Communiquez avec les autres et partagez vos connaissances professionnelles

Inscrivez-vous ou connectez-vous pour rejoindre votre communauté professionnelle.

Suivre

How to have one way connection on the ASA5520 firewall is it possible to do that ?

i mean if you have two server and one asa5520 sets between them and you want to push some kind of data from one server to another without open any ports in the returning back way i know this function belong to the Data DIODE but what about firewall can do it?

user-image
Question ajoutée par Ahmed Khalifa , PI System Cyber Security Engineer , NAZCO
Date de publication: 2014/05/14
Ahmad Yassein
par Ahmad Yassein , Infrastructure Network Manager , Ministry of International Cooperation (MIC)

I guess you're talking about how the ASA handles return traffic without creating access list (ACL) for that traffic. This is the normal behavior of the ASA firewall using your example:

 

When traffic comes in from Server1 (source) to Server2 (dest.), the ASA builds a connection (in its connection table) for this traffic with Server1 as the source address and Server2 as the dest. address. Server2 receives the packets and responds to this traffic. Now, here is your question part. The ASA receives the response from Server2 and check if this response is part of an existing connection or if it is an initial connection. In our example, it is a part of an existing connection. So, the ASA allows the packets to pass from Server2 to Server1 EVEN IF there is no ACL to explicitly allow this return traffic.

 

Note that this behavior applies for all ASA models not only5520.

 

 I guess this is what you meant by your question and let me know if i got it correctly.

Syed Hassam Hashmi
par Syed Hassam Hashmi , Network Engineer , Future Technology

Cisco ASA Can Do It With Its feature known as statefull filtering

Abhi Mukherjee
par Abhi Mukherjee , Network Enginner , Accenture Services Pvt Ltd.

First of all for you your requirment, your source server is sending UDP packets, right?  So, This can be done in two ways. First one is configureing a extended deny ACL on the interface where the destination server is connected into and blocking any udp traffice from the destination server destined to the source server.

Second one is, configureing a Granuler Protocol Inspection on the firewall for the intersted traffic.

More Questions Like This