I have a Cisco ASA 5505 (ver 8.2(2)) with two interfaces; inside (security level 100) and outside (security level 50). There is one subnet on inside, 10.1.1.0/24.
There is no NAT for traffic moving from inside to outside; that is handled by an upstream router.
I want to configure the firewall so that any system on the inside interface can initiate a connection to the outside world and receive the return traffic but the outside world cannot initiate connections to the inside systems. Letting the traffic out is easy:
access-list inside_in extended permit IP 10.1.1.0 255.255.255.0 any
but what do I need to configure on the ASA to let the responses back in without opening the firewall to all traffic? normally this is handled by NAT, but in this case I do not want to use NAT.
Best Answer
Last time I checked, you don't need to define a rule when crossing from a high security zone (100) to a lower security zone, it's permitted by default.
That being said, you'll want to look at the established documentation. Also doesn't hurt to take a quick look at the security-level docs either.