cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
743
Views
0
Helpful
2
Replies

Stateful Firewall and how it functions ?

Vivek Singh
Level 1
Level 1

Hello Everyone,

 

I am little bit confused between stateful firewall and how it works. I know that stateful firewall keeps track of the connections initiated by internal network or from the outside network i.e internet.

 

So does that mean if the connection is initiated by outside host from internet to the inside host then we dont need to allow access-list when our internal host will respond to the request to the outside host?

 

This confusion is because in our network we have a site to site (LAN to LAN) VPN between our main site to one of the branch office. Users from branch offices are accessing VM that are residing on the servers located in our main site. Now our firewall is allowing outside connection from the branch office for the VM to inside server and the crypto map is allowing interesting traffic from the server to the remote users. Also we used nat 0  to not to nat the traffic from our server to the branch office. Everything is working fine and the tunnel is UP. However i am not sure why we didnt allow this connection in our access-list on the inside interface of the firewall?

 

In my understanding when our server will respond to the request made by outside users this connection should be allowed on the access-list on the inside interface otherwise the packet will be dropped? Why this setup is working without this inside access-list ?

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

The reason it is working is because when the client connects to the server an entry in the state table is made for that connection and then the packet is sent to the server.

The return packet is not checked against the acl applied inbound on the inside interface because there is an existing entry in the state table so it is allowed.

The acl on your inside interface is applied when a connection is initiated from a device on the inside of the ASA because there isn't an entry already in the state table.

That is how stateful firewalls work, if the initial packet is allowed then the return traffic is allowed without having to allow it explicitly in an acl.

If they didn't then you are correct in what you say, an entry would be needed in your inside acl because there would be no state for the firewall to use.

Jon

Yeah i got your point and that cleared my doubt as well. Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: