ASA Traffic Inspection...

Answered Question
Aug 11th, 2009

This is more or less a question regarding how the ASA allows traffic to traverse itself.

If I understand the ASA properly; all unicast traffic is permitted from a higher security interface to a lower security interface and only inspected traffic is allowed to return back.

If the above is a correct assumption, how come HTTP traffic is allowed to return throught the ASA if I remove the from the "inspect http" command from the global inspection policy map?

I see that it works as I expect with ICMP traffic as described above.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 4 years 8 months ago

Robert

There is a feature called TCP state bypass which was introduced in version 8.2 code for the ASA which allows you to change the way TCP stateful inspection works -

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html

Never used it though so can't say how well it works.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Jon Marshall Tue, 08/11/2009 - 09:23

Robert

"If the above is a correct assumption, how come HTTP traffic is allowed to return throught the ASA if I remove the from the "inspect http" command from the global inspection policy map?"

Because the ASA is a stateful firewall. Forget about the inspect stuff for a minute. A stateful firewall will keep track of TCP flags to allow return traffic back in if the connection was initiated from inside. This statement applies to ALL TCP traffic.

The "inspect(s)" are additional bits of code above and beyond the firewall being stateful or not. The inspect code allows the ASA to do other things in addition to keeping track of the TCP flags. So the inspect code for HTTP allows the ASA to look deeper into the packets and have a "limited" understanding of how the HTTP protocol works.

If you turn off HTTP inspection then the firewall will simply revert to being stateful for HTTP and will still allow return traffic.

Compare this with ICMP. Turn off ICMP inspection and see if return traffic is allowed. It isn't unless you explicitly permit it with an acl. That's because ICMP is not by it's nature stateful unlike TCP.

Jon

lrm001c474 Tue, 08/11/2009 - 09:44

Thanks for the responce Jon.

Do all other protocols besides TCP & UDP require inspection if it isn't specified by an ACL?

Jon Marshall Tue, 08/11/2009 - 10:07

Robert

Just to give you a fuller picture. A stateful firewall without any additional inspect code keeps state for TCP and UDP connections.

For both TCP and UDP the src/dst IP address and src/dst port are used. In addition with TCP the tcp flags - SYN/ACK/FIN/RST etc. are recorded because these allow the firewall to keep track of the connection.

UDP is stateless however so the firewall merely uses a timer ie. it sees the original packet going out and it starts a timer. If it sees a response coming back in (based on the src/dst ip and port number) before the timer expires then it considers that packet part of the same connection and allows it back through. So UDP is also tracked although it is a "pseudo" type of state.

All other protocols such as ICMP/GRE/IPSEC etc. are not stateful and a stateful firewall does not keep track of them unless there is additional code ie. the inspect code, to allow it to do so.

Jon

lrm001c474 Tue, 08/11/2009 - 10:12

Thanks again Jon.

One final question; is there a way to disble the TCP/UDP stateful inspection engine for either a particular traffic flow or all traffic?

Actions

Login or Register to take actions

This Discussion

Posted August 11, 2009 at 8:55 AM
Stats:
Replies:5 Avg. Rating:5
Views:1513 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446