topic Re: How the firewall handles return traffic in Network Security

How the firewall handles return traffic

w1ll1ambarr — Tue, 26 Mar 2019 14:57:49 GMT

Hello All,

Please ignore my ignorance as I tried to wrap my head around this question lingering in my mind.

This is more of a query on how the Cisco firewall handles return traffic when an 'any any' policy is in place. The traffic is originating from a higher security known port 5060, 443, 22, 80 to a lower security destination. Based on my understanding, the return traffic should be allowed due to the permit ip any any rule in place.

Thanks

Will

Re: How the firewall handles return traffic

Deepak Kumar — Tue, 26 Mar 2019 15:33:25 GMT

Hi,

Where and how to apply this ANY ANY policy? What is your configuration?

Here is the Cisco ASA packet flow:

I hope it will help you to understand.

Regards,

Deepak Kumar

Re: How the firewall handles return traffic

Rob Ingram — Tue, 26 Mar 2019 16:41:37 GMT

Hi, The ASA is a stateful firewall, it keeps track of the connections going through the firewall. So if traffic was permitted from inside to outside and the conection is in the state table (an existing connection) the return traffic would be permitted.

HTH

Re: How the firewall handles return traffic

w1ll1ambarr — Tue, 26 Mar 2019 18:59:20 GMT

Hello, Thanks for your detailed reply. Another question I have regarding sip inspection. By default, I can see that

sip is being inspected by the firewall. See global policy-map below.

policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp

inspect sip
inspect sqlnet
inspect tftp
inspect xdmcp
inspect http

Should sip port 5060 be already opened by the firewall based on it's statefullness? Or I still have to open port 5060 to allow sip traffic from the CUCM to the endpoint?

Appreciate, any light that you can shed on this.

Re: How the firewall handles return traffic

Dennis Mink — Tue, 26 Mar 2019 21:59:23 GMT

on your sip question: NO

that is not what sip inspection does. so you would need to explicitly allow SIp based on port 5060. once SIP is permitted, sip inspection will look inside the packet and more specifically in the SDP packet contained within sip. based on this, it will dynamically allow ports for RTP. this way you dont need to open thousands of ports for the purpose of allowing video and voice across your FW

Re: How the firewall handles return traffic

Deepak Kumar — Wed, 27 Mar 2019 02:40:52 GMT

Hi,
You have to explicitly allow SIp based on port 5060

Regards.
Deepak Kumar

Re: How the firewall handles return traffic

w1ll1ambarr — Fri, 29 Mar 2019 12:23:33 GMT

Hello Deepak,

Thanks for your comment. But wanted to clarify as I thought that due to the
statefullness of the sip traffic, if the UCCM initiated the session port
5060 will be automatically open or allowed. Please see below output and
keep me honest.

ASA4# sh run all | in sip
object service tcp-sip pre-defined
service tcp destination eq sip
object service tcp-udp-sip pre-defined
service tcp-udp destination eq sip
object service udp-sip pre-defined
service udp destination eq sip
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
policy-map type inspect sip _default_sip_map
traffic-non-sip

ASA4# sh run all | in sip
object service tcp-sip pre-defined
service tcp destination eq sip
object service tcp-udp-sip pre-defined
service tcp-udp destination eq sip
object service udp-sip pre-defined
service udp destination eq sip
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
policy-map type inspect sip _default_sip_map
traffic-non-sip

Do I still have to allo sip port despite that it's already pre-defined by
the default
ASA configuration?

Appreciate greatly all your input and help.

Regards,
William

Re: How the firewall handles return traffic

John-Finnegan — Fri, 29 Mar 2019 19:15:38 GMT

Those are the configurations in relation to SIP and what to do with the SIP traffic once permitted. The ASA inherently blocks traffic, unless no ACL is applied and you are going from a higher security zone to a lower security zone.

If SIP is not explicitly permitted in the ACL then this traffic would not be permitted through the Firewall.

You would need, for example:

access-list INSIDE permit udp any any eq sip

If the INSIDE acl was applied to your Internal segment on the ASA, this would allow SIP traffic from your Internal Segment through the ASA. The other options you see in your output are now how to handle this traffic, such as Idle Timeout or confirming that it is in fact SIP traffic before permitting the traffic etc.

Re: How the firewall handles return traffic

Deepak Kumar — Fri, 29 Mar 2019 19:51:45 GMT

Hi,

Check this document: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-voicevideo.html

Regards,

Deepak Kumar