Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

cisco asa firewalls and proxying ?

Hi all, after reading my firewall course notes, it says that the asa acts a a proxy server, it says stateful inspection combines packet filtering and proxy services. Can anyone tell me what exactly it proxies? does this mean the firewall initialises these connections, and is it only for certain applications ?


Re: cisco asa firewalls and proxying ?

with packet filltering firewall and router look at lyer three IP source and distination and layer four port number tcp/udp

but with the firewall it gose to higher than layer 3 and 4 and start inspect application layer

statful inspection means

if u put deny any on the outside interface

and u have a client from the inside opened a connection lets say http

in normal cases like a router with deny all on the outside interface the packet will go out once it comes back from the http server will be denied because there is deny all

while with statefull inspection with ASA there a table that the ASA build it called state table this table keeps track of conection started from outside then it will allow the returne traffic for that connection in the state table

becuase TCP is staeful the ASA can keep track of the syn synack and tcp sequence and at the same time ASA dose not proxy but randumize that sequence number for security to prevent any hucker to insert packet between the sequenced number

with udp it use a timer for the connection which timeout the connection if take longer time

if helpful Rate

New Member

Re: cisco asa firewalls and proxying ?

hi there, in my cisco training notes, it says the asa acts as a proxy server, why does it say that?

Re: cisco asa firewalls and proxying ?

it act like but not exactly

because with nating

the connection will apear to the outtside as from the ASA not from the client behind it

also wit the newer version of ASA there is cacheing capabilities so it is to smoe extent a proxy too

if helpful rate