topic Re: stateless filter in ASA5500 in Network Security

stateless filter in ASA5500

caojunjie — Mon, 11 Mar 2019 20:36:48 GMT

Hi,

Does ASA 5500 has stateless filter to drop packet even when 3-way handshake is finished

For example,

1: 3-way handshake is done

2:client send data to server

3:I apply a statless filter to the incoming interface to drop the packet from the client

Thanks

Re: stateless filter in ASA5500

mirober2 — Mon, 23 May 2011 16:52:09 GMT

Hi Junjie,

Can you share some more details on what you're trying to achieve? On what criteria are you trying to drop the packet from the client if you're security policy allows it to complete the 3-way handshake? Something specific in the payload?

In general, the only way to achieve this on the ASA would be to apply an application-layer inspection engine to the traffic. Of course, this is only possible for known protocols that the ASA has inspection engines for. The full list of these engines can be found here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html#wp1536127

-Mike

Re: stateless filter in ASA5500

caojunjie — Tue, 24 May 2011 02:45:05 GMT

Hi,Mirober2

The case I want to achieve is like this

In general,firewall works in stateful status,it means it will check the session and ACL to permit or drop a packet,for example

client1 ------|untrust-------trust|-------client2

If client want to visit client2,we only need to permit traffic in one direction,permit source-ip client1 des-ip client2 .When response from client2 to client,firewall will permit this packet due to it is a stateful firewall and record the sesion from client1 to client2

Now ,due to some test,I wanna do something different

syn is permitted

client1 ------>|untrust-------trust|------->client2

sync/ack should be droped

client1 <------or drop here|untrust-------trust|drop here<-------client2

this is what I mean "stateless"

Re: stateless filter in ASA5500

mirober2 — Tue, 24 May 2011 13:22:36 GMT

Hi Junjie,

In that case, no this is not possible with the ASA alone. If the security policy allows the first SYN packet, a conn will built and added to the ASA's conn table. When the SYN-ACK comes back, the ASA will first check if there is an existing conn that matches the traffic (which there will be). Once it finds a match, it skips over the ACL check and allows the packet through.

From the ASA's perspective, if the security policy allows the SYN, we would expect the SYN-ACK to be allowed as well (assuming it is legitimate response to the SYN).

To do this, you'd need a device which is not stateless, such as a router.

Hope that helps.

-Mike