topic Re: ASA State Table in Network Security

ASA State Table

bunjiega — Tue, 12 Mar 2019 03:04:13 GMT

I had a question about the ASA's state table. I may be overthinking this!

When going from a higher security level to a lower security level, the ASA keeps track of the state of the connections, which you can see by 'show conn'.

However, whenever you poke holes from, say, the outside to the DMZ, I have read that is supposed to bypass the state table and just allow packets through, but when I do a 'show conn' I can see the connection in the results that have been initiated from a lower security level to a higher one. It seems like the ASA is still recording the sessions. So do those packets go into the state table of the ASA? Why would I see them linger around if they do not?

I do not have any policy maps inspecting these packets from the outside to the dmz.

Thanks!!!

ASA State Table

Jouni Forss — Tue, 12 Nov 2013 23:52:15 GMT

Hi,

It shouldnt matter from where the connection is formed.

With regards to TCP Connections the ASA builds a connection as soon as it sees a TCP SYN which is also allowed through the firewall. Naturally how long the connection stays on the ASA depends on multiple factors.

For UDP the ASA builds the connection also if the traffic is allowed through the firewall. Though as the UDP connection doesnt really have a state like a TCP connection it means that the UDP connection stays in the ASAs connection table as long as its not idle for too long.

- Jouni

ASA State Table

jumora — Thu, 14 Nov 2013 04:45:39 GMT

Basic information that you need to know to understand how connections work through the ASA:

ASA TCP Connection Flags (Connection build-up and teardown)

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bcad00.shtml

You need to know this to understand in the state the connection is at on the firewall:

timeout settings:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870

Understanding xlate and conn idle and timeout values through example

https://supportforums.cisco.com/docs/DOC-21948

Re: ASA State Table

aditya_pujari — Sun, 03 Jun 2018 08:43:57 GMT

Hi,

So to confirm we do not see UDP states in the state table right?

I am not too sure, what you mean by UDP connection stays. Can you please explain me that?

Re: ASA State Table

Florin Barhala — Tue, 05 Jun 2018 09:57:22 GMT

ASA acts like a firewall so each and every packet needs to be inspected.

UDP also gets present on the conn table

UDP outside 5.5.22.14:40012 inside 10.22.20.5:44509, idle 0:02:01, bytes 156, flags X

You can also read more, here.

Furthermore, here's some extra UDP connection state related info.

Re: ASA State Table

aditya_pujari — Tue, 05 Jun 2018 13:06:02 GMT

Hi Florin,

Thanks for the explanation.

Re: ASA State Table

Mohammed Tarek — Thu, 21 Mar 2019 12:30:51 GMT

I know what you are saying. I am having a difficult time as well understanding where exactly is the setting that applies TCP and UDO statefull tracking. By default, ASA tracks UDP and TCP. I have read this statement in a milltion places, and yet not one has mentioned where this setting is defined. I know from reading many sources that ICMP tracking and inspection can be turned on using the "inspect ICMP" command under the default class in the default global group policy, but I really don't get it. If ICMP can be turned on, then why cant I use the same logic and turn on TCP and UDP inspection?

Re: ASA State Table

Florin Barhala — Mon, 25 Mar 2019 10:31:54 GMT

My opinion is that you need to be more specific on either TCP or UDP as each have a myriad of ports available.
So you can select from each protocol, what port to inspect: HTTP, DNS, SMTP..........