Connections
You must realize that translations and connections aren’t
the same thing. A translation is literally the
substitution of an alias for a local address, but it can’t represent an existing
connection. For example, a static translation creates an xlate entry to allow
outside access to a web server in the DMZ, but there can be no active
connection.
Connections, on the other hand, use
translations to allow communication from one host to another. In fact, it’s
possible that a single translation allowing access to a web server might have
several active connections underway.
The ASA default rules pertaining to connections include the
following:
-
No packets can pass through a PIX Firewall without a
connection and a state table entry.
-
All outbound connections or states are allowed, except those
specifically denied by ACLs. Remember, in firewall parlance, “outbound” refers
to originating in any higher security-level interface destined to a lower
security interface. This means the connection might originate on a DMZ interface
destined for the outside interface, as in the case of an e-mail server searching
for Internet mail updates.
-
All inbound connections or states are denied, except those
specifically configured using ACLs or conduits. Inbound connections or states
originate on a lower security interface than the destination device.
-
All ICMP packets are denied, unless specifically permitted
with ACLs or conduits.
-
Any packet that can’t meet one of the rules, or when no
exception has been configured, is dropped and a syslog message is
sent.
Sections
Comments (0 posted)
Syndication
