https://community.cisco.com/t5/network-security/asa-and-statefull-filtering/m-p/2243291#M357852 <HTML><HEAD></HEAD><BODY><P>Hi Alain &amp; Jouni,</P><P></P><P>Thanks again for clearing my concepts.</P><P></P><P>Best regards</P><P>MAhesh</P></BODY></HTML> Sun, 28 Apr 2013 18:19:12 GMT mahesh18 2013-04-28T18:19:12Z https://community.cisco.com/t5/network-security/asa-and-statefull-filtering/m-p/2243288#M357844 <P>Hi everyone,</P><P></P><P>I read that ASA&nbsp; by default do statefull filtering for TCP and UDP packets.</P><P>If user access internet website then return traffic is allowed from the internet.</P><P></P><P>Curious to know what config in ASA&nbsp; allows statefull filtering ?</P><P>Or does ASA support statefull filtering in hardware?</P><P></P><P>Thanks</P><P></P><P>MAhesh</P> Tue, 12 Mar 2019 01:36:06 GMT https://community.cisco.com/t5/network-security/asa-and-statefull-filtering/m-p/2243288#M357844 mahesh18 2019-03-12T01:36:06Z https://community.cisco.com/t5/network-security/asa-and-statefull-filtering/m-p/2243289#M357846 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>You've got nothing special to configure: traffic from ahigh security level inteface can pass through the ASA and return traffic is permitted based on the state table that the ASA built. By default this is only for TCP and UDP but if you inspect ICMP then it will also work for ICMP.</P><P></P><P>Regards</P><P></P><P>Alain</P><P></P><P></P><P>Don't forget to rate helpful posts.</P></BODY></HTML> Sun, 28 Apr 2013 18:02:32 GMT https://community.cisco.com/t5/network-security/asa-and-statefull-filtering/m-p/2243289#M357846 cadet alain 2013-04-28T18:02:32Z https://community.cisco.com/t5/network-security/asa-and-statefull-filtering/m-p/2243290#M357849 <HTML><HEAD></HEAD><BODY><P>Hi Mahesh,</P><P></P><P>ASA does this by default without any certain configuration on it.</P><P></P><P>It for example allows return traffic for already formed flows/connections through it. On the other hand ofcourse if the ASA sees traffic that seems to be part of some connection but the ASA doesnt have an existing flow for it, it denies the traffic. A stateless device/firewall would have simply allowed the same connection through.</P><P></P><P>When you add ASAs Inspections to this you will get more control of certain applications.</P><P></P><P>For example "inspect ftp" enables the ASA to handle the secondary Data connection that is formed after the original Control connection is formed. Then theres for example "inspect dns" which control the DNS messages through the ASA firewall. Then theres for example ICMP inspection which allows the replies to ICMP Echo messages sent by the host behind ASA automatically.</P><P></P><P>- Jouni</P></BODY></HTML> Sun, 28 Apr 2013 18:04:58 GMT https://community.cisco.com/t5/network-security/asa-and-statefull-filtering/m-p/2243290#M357849 Jouni Forss 2013-04-28T18:04:58Z https://community.cisco.com/t5/network-security/asa-and-statefull-filtering/m-p/2243291#M357852 <HTML><HEAD></HEAD><BODY><P>Hi Alain &amp; Jouni,</P><P></P><P>Thanks again for clearing my concepts.</P><P></P><P>Best regards</P><P>MAhesh</P></BODY></HTML> Sun, 28 Apr 2013 18:19:12 GMT https://community.cisco.com/t5/network-security/asa-and-statefull-filtering/m-p/2243291#M357852 mahesh18 2013-04-28T18:19:12Z