Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12947
Views
10
Helpful
5
Replies

How ASA holds and inspect the UDP packets?

Go to solution
Pradeep S.R.
Level 5
Level 5

‎08-31-2012 04:25 AM - edited ‎03-11-2019 04:48 PM

Hi..

Please any one, Explain that how ASA Stateful Packet inspections works on UDP packets/Sessions?           

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-31-2012 09:40 AM

Hello Pradeepa,

I would say there is a deep packet inspection for some UDP protocols such as SIP or TFTP,etc. What the ASA is going to do is to check each packet and as soon as he determines based on the payload of the packet that it needs to be inspected he will perform a " stateful inspection" for that particular protocol so the incoming packets are accepted and secondary channels get open if need it.

As you know UDP is an stateless protocol but for security purposes the ASA needs to follow up that UDP connection and he will do that based on it's Xlate, Conn table and local-host table.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7

‎09-01-2012 07:39 AM

Hi Pradeep,

ASA does it thru three database which it has.

1) ACL

2) Xlate Tables / Conn Table

3) Inspect (Policies) for Application level

When the ASA receives any packet it doesn't matter TCP/UDP packet. It checks for the ACL and then it creates the connection in Xlate/Conn table. Then it checks for the inspection for the application level inspects.

then it forwards to the destination system and gets back the response to the host back.

Please do rate for the helpful posts.

By

Karthik

View solution in original post

5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎08-31-2012 04:57 AM

For UDP there is no state like for TCP. If the session is allowed by the ASA, then the return-traffic is allowed for this addrss/port-pair. If the sission is not in use any more it times out and gets deleted from the state-table.

For DNS there is an excemption, that wit DNS-guard enabled, the ASA knows that after one DNS-query, only one answer is expected and the session gets removed from the state-table emediately.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-31-2012 09:40 AM

Hello Pradeepa,

I would say there is a deep packet inspection for some UDP protocols such as SIP or TFTP,etc. What the ASA is going to do is to check each packet and as soon as he determines based on the payload of the packet that it needs to be inspected he will perform a " stateful inspection" for that particular protocol so the incoming packets are accepted and secondary channels get open if need it.

As you know UDP is an stateless protocol but for security purposes the ASA needs to follow up that UDP connection and he will do that based on it's Xlate, Conn table and local-host table.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Pradeep S.R.
Level 5
Level 5
In response to Julio Carvajal

‎09-03-2012 05:09 AM

Thank you.. Jcarvaja..

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7

‎09-01-2012 07:39 AM

Hi Pradeep,

ASA does it thru three database which it has.

1) ACL

2) Xlate Tables / Conn Table

3) Inspect (Policies) for Application level

When the ASA receives any packet it doesn't matter TCP/UDP packet. It checks for the ACL and then it creates the connection in Xlate/Conn table. Then it checks for the inspection for the application level inspects.

then it forwards to the destination system and gets back the response to the host back.

Please do rate for the helpful posts.

By

Karthik

Go to solution
Pradeep S.R.
Level 5
Level 5
In response to nkarthikeyan

‎09-03-2012 05:09 AM

Thank you Karthik...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card