Maintaining UDP Sessions on PIX/ASA

Answered Question
Mar 24th, 2008

Hi,

I have a question related to how PIX/ASA firewalls maintain UDP session information. My understanding is that when there is a UDP connection from a lower to a higher security zone, the UDP server (e.g. DNS) in the higher security zone responds to the UDP query even if the outbound UDP is blocked (i.e. even if there is excplicit ACL blocking DNS traffic from inside to outside).

So, how would the FW track the different UDP sessions while UDP is connectionless protocol. I can understand it with TCP as TCP sessions have unique session numbers, but how is that dealt with UDP protocols?

Thanks,

Haitham

I have this problem too.
0 votes
Correct Answer by Jay Johnston about 8 years 8 months ago

TCP doesn't have a notion of a session number. Hosts track TCP sessions the same way as UDP; Via the 4-tuple of the connection ip's and ports.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jay Johnston Mon, 03/24/2008 - 11:13

Your first statement is not true, since if the pix allowed the inbound packet from the outside to the inside, then it would also build a connection in its connection table. If the reply packet matched this connection it would be allowed through the firewall, regardless if there was an inbound acl applied on the inside interface, or an outbound acl applied to the outside interface.

The firewall tracks UDP sessions by the 4 touple of the UDP connection: SRC IP and port DST ip and port. It does the exact same thing with UDP. Any firewall works this way.

haithamnofal Tue, 03/25/2008 - 03:24

Hi,

Thanks for your reply.

What you said doesn't conflict with my original statement that the FW doesn't require an explicit ACL to permit UDP or TCP responses as you can read in my first paragraph.

Ok, so it makes sense that the FW keeps track of UDP sessions using the SRC/DST ip and port numbers. On the other hand, with TCP connections won't the FW also keep records of session number besides the SRC/DST ip and port?

Regards,

Haitham

Correct Answer
Jay Johnston Tue, 03/25/2008 - 06:14

TCP doesn't have a notion of a session number. Hosts track TCP sessions the same way as UDP; Via the 4-tuple of the connection ip's and ports.

Actions

This Discussion