cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4890
Views
5
Helpful
5
Replies

ASA Traffic Inspection...

lrm001c474
Level 1
Level 1

This is more or less a question regarding how the ASA allows traffic to traverse itself.

If I understand the ASA properly; all unicast traffic is permitted from a higher security interface to a lower security interface and only inspected traffic is allowed to return back.

If the above is a correct assumption, how come HTTP traffic is allowed to return throught the ASA if I remove the from the "inspect http" command from the global inspection policy map?

I see that it works as I expect with ICMP traffic as described above.

1 Accepted Solution

Accepted Solutions

Robert

There is a feature called TCP state bypass which was introduced in version 8.2 code for the ASA which allows you to change the way TCP stateful inspection works -

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html

Never used it though so can't say how well it works.

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Robert

"If the above is a correct assumption, how come HTTP traffic is allowed to return throught the ASA if I remove the from the "inspect http" command from the global inspection policy map?"

Because the ASA is a stateful firewall. Forget about the inspect stuff for a minute. A stateful firewall will keep track of TCP flags to allow return traffic back in if the connection was initiated from inside. This statement applies to ALL TCP traffic.

The "inspect(s)" are additional bits of code above and beyond the firewall being stateful or not. The inspect code allows the ASA to do other things in addition to keeping track of the TCP flags. So the inspect code for HTTP allows the ASA to look deeper into the packets and have a "limited" understanding of how the HTTP protocol works.

If you turn off HTTP inspection then the firewall will simply revert to being stateful for HTTP and will still allow return traffic.

Compare this with ICMP. Turn off ICMP inspection and see if return traffic is allowed. It isn't unless you explicitly permit it with an acl. That's because ICMP is not by it's nature stateful unlike TCP.

Jon

Thanks for the responce Jon.

Do all other protocols besides TCP & UDP require inspection if it isn't specified by an ACL?

Robert

Just to give you a fuller picture. A stateful firewall without any additional inspect code keeps state for TCP and UDP connections.

For both TCP and UDP the src/dst IP address and src/dst port are used. In addition with TCP the tcp flags - SYN/ACK/FIN/RST etc. are recorded because these allow the firewall to keep track of the connection.

UDP is stateless however so the firewall merely uses a timer ie. it sees the original packet going out and it starts a timer. If it sees a response coming back in (based on the src/dst ip and port number) before the timer expires then it considers that packet part of the same connection and allows it back through. So UDP is also tracked although it is a "pseudo" type of state.

All other protocols such as ICMP/GRE/IPSEC etc. are not stateful and a stateful firewall does not keep track of them unless there is additional code ie. the inspect code, to allow it to do so.

Jon

Thanks again Jon.

One final question; is there a way to disble the TCP/UDP stateful inspection engine for either a particular traffic flow or all traffic?

Robert

There is a feature called TCP state bypass which was introduced in version 8.2 code for the ASA which allows you to change the way TCP stateful inspection works -

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html

Never used it though so can't say how well it works.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: