Stateful ACLs

[Gregor Blaj]

Hi,

 

I'm doing a bit of testing with ACLs. With the following ACL in place I would expect the Netscaler not to be able to ping outbound hosts, as return traffic to the NS IP should be blocked.

add ns acl Deny_Mgmt DENY -destIP = 192.168.1.10 -priority 100 -logstate ENABLED -stateful NO

But this isn't the case, return ICMP traffic is not blocked. I then figured the default (not visible) outbound ACL must be stateful (hence allowing return traffic), so I created another non-stateful ACL specifically allowing outbound ICMP from the NS IP.

add ns acl Allow_ICMP -srcIP = 192.168.1.10 -protocol ICMP -priority 110 -logstate ENABLED -stateful NO

I can see hits on the Allow_ICMP ACL but return ICMP traffic is still allowed. Why would this be? What is allowing the return traffic?

 

Thanks for any input.