Routing – ASA Block Incoming TCP Traffic from Established Connection

cisco-asafirewallrouting

I have set up the following network:
enter image description here

My goal is to allow connections to be initiated from the computer on the right (Host 2) to the computer on the left (Host 1). I also want Host 1 to be unable to initiate connections. Finally, I want Host 1 to be unable to send inbound traffic.

Very simple ACL's:

access-list 101 line 1 extended permit tcp any any
access-list 101 line 2 extended deny ip any any
access-list 102 line 1 extended deny ip any any
  • ACL 101 – applied to inbound traffic of the right side of the ASA
  • ACL 102 – applied to inbound traffic of the left side of the ASA

Using NetCat, I was able to forge a connection from Host 2 to Host 1 with no problem and am denied, as intended, from initiating the connection from Host 1 to Host 2:
enter image description here

As you can see, sending it from the Host 2 (white screen) to Host 1 (black screen) creates the FW flag UO (TCP handshake completed and outbound traffic). Now, When I send traffic from the black terminal to the white terminal, it changes the FW flag to "UIO" (outbound and inbound traffic).

enter image description here

What I want is to block incoming traffic from Host 1 while keeping the connection established and allowing outbound traffic. How can I accomplish this?

Thanks

Best Answer

You must construct your access list(s) in a a fashion which explicitly targets the traffic and / or hosts you wish to permit or deny, in this case, Host 1 and Host 2.

Example: 

(config)# access-list 101 extended permit ip [host2] [host1] any
(config)# access-list 101 extended deny ip [host1] any log
(config)# access-list 101 extended permit ip any any

NOTE: The final line is required if you wish any other traffic from the same network as Host 2 to be allowed outside your firewall: a silent, implicit deny exists at the end of every Cisco ACL.

Then, on the interface which first receives this traffic initiated by Host 2 (inside): 

(config-if): ip access-group 101 in

With regards to your request that Host1 may not communicate with Host2 unless Host2 has already begun a session with Host1, this is the default nature of the Cisco ASA: it is a stateful packet-filter: connections which were not initiated from the inside zone will not be accepted when coming from the outside, unless rules configured by the Administrator explicitly permit them.

See the following guide for more details:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/acl_overview.html

Related Topic