cisco asa firewalls and proxying ?

Unanswered Question
Aug 27th, 2008
User Badges:

Hi all, after reading my firewall course notes, it says that the asa acts a a proxy server, it says stateful inspection combines packet filtering and proxy services. Can anyone tell me what exactly it proxies? does this mean the firewall initialises these connections, and is it only for certain applications ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Wed, 08/27/2008 - 04:23
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

with packet filltering firewall and router look at lyer three IP source and distination and layer four port number tcp/udp

but with the firewall it gose to higher than layer 3 and 4 and start inspect application layer

statful inspection means

if u put deny any on the outside interface

and u have a client from the inside opened a connection lets say http

in normal cases like a router with deny all on the outside interface the packet will go out once it comes back from the http server will be denied because there is deny all

while with statefull inspection with ASA there a table that the ASA build it called state table this table keeps track of conection started from outside then it will allow the returne traffic for that connection in the state table

becuase TCP is staeful the ASA can keep track of the syn synack and tcp sequence and at the same time ASA dose not proxy but randumize that sequence number for security to prevent any hucker to insert packet between the sequenced number

with udp it use a timer for the connection which timeout the connection if take longer time

if helpful Rate

carl_townshend Wed, 08/27/2008 - 07:21
User Badges:

hi there, in my cisco training notes, it says the asa acts as a proxy server, why does it say that?

Marwan ALshawi Wed, 08/27/2008 - 15:09
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

it act like but not exactly

because with nating

the connection will apear to the outtside as from the ASA not from the client behind it

also wit the newer version of ASA there is cacheing capabilities so it is to smoe extent a proxy too

if helpful rate


This Discussion