I have an ASA running 8.4 in a pretty simple setup with 2 interfaces (inside/outside). I have to 2 ACLs where one is applied inbound on the inside, and one ACL applied inbound on the outside interface. The outside ACL has an explicit deny ip any any statement for logging purposes.
I am wondering, does return traffic (for connections originated on the inside network) get through the ASA with the explicit deny ip any any statement in the outside ACL? I know it works without an ACL applied to the outside interface, but the explicit deny got me thinking. I haven’t a device with me to test it unfortunately
Return traffic will be permitted.
Any traffic originating on a network connected to a higher security interface will not need an ACL to ingress. When the traffic egresses to a lower security interface it will automatically be let back in.
Any traffic originating on a network connected to a lower security interface will need an ACL to allow ingress. When the traffic egresses to a higher security interface it will also be let back in.
That’s how I remember it anyway.. 🙂
Point 3. In the below link seems to back me up.