08-31-2012 04:25 AM - edited 03-11-2019 04:48 PM
Hi..
Please any one, Explain that how ASA Stateful Packet inspections works on UDP packets/Sessions?
Solved! Go to Solution.
08-31-2012 09:40 AM
Hello Pradeepa,
I would say there is a deep packet inspection for some UDP protocols such as SIP or TFTP,etc. What the ASA is going to do is to check each packet and as soon as he determines based on the payload of the packet that it needs to be inspected he will perform a " stateful inspection" for that particular protocol so the incoming packets are accepted and secondary channels get open if need it.
As you know UDP is an stateless protocol but for security purposes the ASA needs to follow up that UDP connection and he will do that based on it's Xlate, Conn table and local-host table.
Regards,
Julio
09-01-2012 07:39 AM
Hi Pradeep,
ASA does it thru three database which it has.
1) ACL
2) Xlate Tables / Conn Table
3) Inspect (Policies) for Application level
When the ASA receives any packet it doesn't matter TCP/UDP packet. It checks for the ACL and then it creates the connection in Xlate/Conn table. Then it checks for the inspection for the application level inspects.
then it forwards to the destination system and gets back the response to the host back.
Please do rate for the helpful posts.
By
Karthik
08-31-2012 04:57 AM
For UDP there is no state like for TCP. If the session is allowed by the ASA, then the return-traffic is allowed for this addrss/port-pair. If the sission is not in use any more it times out and gets deleted from the state-table.
For DNS there is an excemption, that wit DNS-guard enabled, the ASA knows that after one DNS-query, only one answer is expected and the session gets removed from the state-table emediately.
Sent from Cisco Technical Support iPad App
08-31-2012 09:40 AM
Hello Pradeepa,
I would say there is a deep packet inspection for some UDP protocols such as SIP or TFTP,etc. What the ASA is going to do is to check each packet and as soon as he determines based on the payload of the packet that it needs to be inspected he will perform a " stateful inspection" for that particular protocol so the incoming packets are accepted and secondary channels get open if need it.
As you know UDP is an stateless protocol but for security purposes the ASA needs to follow up that UDP connection and he will do that based on it's Xlate, Conn table and local-host table.
Regards,
Julio
09-03-2012 05:09 AM
Thank you.. Jcarvaja..
09-01-2012 07:39 AM
Hi Pradeep,
ASA does it thru three database which it has.
1) ACL
2) Xlate Tables / Conn Table
3) Inspect (Policies) for Application level
When the ASA receives any packet it doesn't matter TCP/UDP packet. It checks for the ACL and then it creates the connection in Xlate/Conn table. Then it checks for the inspection for the application level inspects.
then it forwards to the destination system and gets back the response to the host back.
Please do rate for the helpful posts.
By
Karthik
09-03-2012 05:09 AM
Thank you Karthik...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide