topic The reason it is working is in Network Security

Stateful Firewall and how it functions ?

Vivek Singh — Tue, 12 Mar 2019 05:30:22 GMT

Hello Everyone,

I am little bit confused between stateful firewall and how it works. I know that stateful firewall keeps track of the connections initiated by internal network or from the outside network i.e internet.

So does that mean if the connection is initiated by outside host from internet to the inside host then we dont need to allow access-list when our internal host will respond to the request to the outside host?

This confusion is because in our network we have a site to site (LAN to LAN) VPN between our main site to one of the branch office. Users from branch offices are accessing VM that are residing on the servers located in our main site. Now our firewall is allowing outside connection from the branch office for the VM to inside server and the crypto map is allowing interesting traffic from the server to the remote users. Also we used nat 0 to not to nat the traffic from our server to the branch office. Everything is working fine and the tunnel is UP. However i am not sure why we didnt allow this connection in our access-list on the inside interface of the firewall?

In my understanding when our server will respond to the request made by outside users this connection should be allowed on the access-list on the inside interface otherwise the packet will be dropped? Why this setup is working without this inside access-list ?

The reason it is working is

Jon Marshall — Fri, 27 Mar 2015 22:37:34 GMT

The reason it is working is because when the client connects to the server an entry in the state table is made for that connection and then the packet is sent to the server.

The return packet is not checked against the acl applied inbound on the inside interface because there is an existing entry in the state table so it is allowed.

The acl on your inside interface is applied when a connection is initiated from a device on the inside of the ASA because there isn't an entry already in the state table.

That is how stateful firewalls work, if the initial packet is allowed then the return traffic is allowed without having to allow it explicitly in an acl.

If they didn't then you are correct in what you say, an entry would be needed in your inside acl because there would be no state for the firewall to use.

Jon

Yeah i got your point and

Vivek Singh — Wed, 08 Apr 2015 12:03:29 GMT

Yeah i got your point and that cleared my doubt as well. Thanks