ASA Access rules outside interface inbound

[kylesbigdog]

We have a 3rd party application running on a server on our network. This server needs to be able to connect to the vendors web site for updates, etc., which it can. The vendor is reporting that the web site needs to be able to respond to or send information back to the originating server via port 80.

When I use the packet tracer, from the outside address to the inside address, it fails at the "outside" access rule, which would make sense if the outside address is initiating the connection.

As the server on the inside of the firewall is establishing the connection to the outside address, do I need an access rule to allow connectivity from the outside address back to the inside address even though the connection is initiated from the inside?

 

[unclerico]

so on the outside ACL you need to redirect port 80 to this box for connections initiated from the 3rd party. on connections initiated from the server on the inside, you should already have port 80 open outbound. if i was you i would put this server in an isolated segment because it will be attacked i guarantee you that.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[kylesbigdog]

Thanks for the reply. Correct in that the server(running the 3rd party app) on the inside can establish connectivity to the outside address via port 80 without issue. The 3rd party vendor is indicating that through this very same "session", there server should be able to respond back, also via port 80, which it currently cannot.
Should I need to, and if so, can I put an access rule in explicitly only allowing a connection from the outside server's IP address to the Inside servers IP address?

Thanks again.

 

[unclerico]

Should I need to, and if so, can I put an access rule in explicitly only allowing a connection from the outside server's IP address to the Inside servers IP address?

yes

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[kylesbigdog]

unclerico, Thanks for the assistance. Last question. If I implement an explicit access rule from the outside address to the inside address, is it still recommended that the inside server be on an isolated segment out of concernd of attack?

Thanks again.

 

[unclerico]

even if you lock the ACL down so that the connections are permitted only from this 3rd party, i would still isolate it. the reason is if the 3rd party is ever compromised then your machine could then be attacked. it's just a thought. the chances of this scenario happening are very slim.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[hairlessupportmonkey]

Why dont you use a Static NAT rule to route your traffic to the server on a specific port, then use your Access Rule to specify specific IPs that can access the device behind your network.

Also with a NAT rule you can use a different public IP if you have any spare, then its also more secure from the rest of your network.

ACSS - SME