Annoying Cisco ASA/ASDM Bugs–Part 2

You might get an argument from Cisco that this one is a bug, but it sure is annoying:

On an ASA you can apply firewall rules in two places (in ASA 8.3 and above). Rules can be applied on an interface or globally. When applied on an interface they can operate on traffic entering the interface (incoming rules) or on traffic egressing the interface (outgoing rules).

When using ASDM to create a new rule, you can right-click on a rule and select Insert After to add a new rule after the existing right-clicked rule. When you do that you are presented with a dialog box allowing you enter the required details:

AddRule1

The dialog box presented allows the common details to be entered with an option to expand the dialog to include further options if needed. Selecting More Option reveals the following additional fields:

AddRule2

The second additional option allows the traffic direction to be set. In this example, the direction is set to In – that is the rule is an Incoming rule.

Unfortunately, the Traffic Direction is set to ‘In’ even if you are inserting a rule after an outgoing rule. If you don’t notice this, and with the unexpanded dialog box why should you, the rule is added in the wrong place and will not work as expected.

Leave a Reply

Your email address will not be published. Required fields are marked *