Register now or log in to join your professional community.
i mean if you have two server and one asa5520 sets between them and you want to push some kind of data from one server to another without open any ports in the returning back way i know this function belong to the Data DIODE but what about firewall can do it?
I guess you're talking about how the ASA handles return traffic without creating access list (ACL) for that traffic. This is the normal behavior of the ASA firewall using your example:
When traffic comes in from Server1 (source) to Server2 (dest.), the ASA builds a connection (in its connection table) for this traffic with Server1 as the source address and Server2 as the dest. address. Server2 receives the packets and responds to this traffic. Now, here is your question part. The ASA receives the response from Server2 and check if this response is part of an existing connection or if it is an initial connection. In our example, it is a part of an existing connection. So, the ASA allows the packets to pass from Server2 to Server1 EVEN IF there is no ACL to explicitly allow this return traffic.
Note that this behavior applies for all ASA models not only5520.
I guess this is what you meant by your question and let me know if i got it correctly.
Cisco ASA Can Do It With Its feature known as statefull filtering
First of all for you your requirment, your source server is sending UDP packets, right? So, This can be done in two ways. First one is configureing a extended deny ACL on the interface where the destination server is connected into and blocking any udp traffice from the destination server destined to the source server.
Second one is, configureing a Granuler Protocol Inspection on the firewall for the intersted traffic.
Do you need help in adding the right keywords to your CV? Let our CV writing experts help you.