General ASA question - stateful inspection, application inspection

Unanswered Question
May 3rd, 2009

Hello everyone. Have, hopefully, a straightforward question here.

Brushing up on my ASA skills (been awhile) and have been going through my notes and just need a little clarification on some things. More or less, just want to make sure I understand a few things.

Stateful Inspection, basically is when the ASA keeps track of each connection going through it and maintaining it. Assuming the connection is allowed, the information is contained in the conn table.

Application inspection, is when we are doing deep packet inspection within certain applications? TCP, UDP, ICMP, DNS, SQLNET etc. The ASA appliance is basically making sure that the data payload within these connections is not malicious, but legit traffic.

Also, where does "inspection engine/fixup" fit into this? From what I can tell, I think it would be in the application inspection?

That pretty accurate? Or am I way off?

Thanks for your help.

Cheers,

TCG

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 05/04/2009 - 02:01

TCG

Pretty much accurate.

Stateful inspection is primarily for TCP connections using the TCP flags (SYN/ACK/FIN/RST) + sequence numbers + obviously src/dst IP & ports.

UDP is also included although this is more a pseudo stateful inspection in that with UDP a timer is set and as long as return traffic with the relevant port(s), src/dst IP's arrives back at the firewall before the timer expires the traffic is allowed.

Application inspection is as you say the ability to look into the contents of the data portion of the packet. Note that it is not just to ensure no malicious activity. For some protocols it is for the ASA to be able to read ports contained within the data portion of the packet and then dynamically open that port in the firewall - SQLNET is a good example.

Fixup was what the pix firewall called the additional bits of code for certain applications that allowed application inspection. ASA just calls them inspect.

Jon

thecoffeeguy Mon, 05/04/2009 - 10:34

Thanks Jon. I appreciate the help.

Building upon my initial question, in regards to the XLATE and CONN tables,

can it be said that the XLATE table for each protected host that can participate in connections? The XLATE is a little fuzzy to me.

The CONN table, is used for statefull inspection? Meaning, this table keeps track of all the connections and updates the connections?

Putting it all together here.

Many thanks!

TCG

Jon Marshall Mon, 05/04/2009 - 14:27

TCG

The CONN table is indeed used to record all connections through the firewall so yes it used by the firewall to keep track of state.

The xlate table is used to keep a record of all the NAT translations that the firewall makes whether these are dyamic NAT/PAT or static NAT/PAT.

A common setup is to have your internal hosts using private RFC 1918 addressing which is not routable on the Internet. When a connection is made from one of these clients to the Internet the firewall translates the private address to a public address.

The other common use is to allow connections from the Internet to a server on the DMZ. Often these servers use private addressing again and you use NAT to present the server as a public IP address to the Internet.

The xlate table is what keeps track of all these translations.

Jon

thecoffeeguy Mon, 05/04/2009 - 14:43

Thanks Jon.

That is a excellent explanation. I was having a hard time getting my mind wrapped around it and what was included in both tables, but that makes perfect sense.

Many thanks

Cheers,

TCG

Actions

This Discussion