https://community.cisco.com/t5/network-security/stateful-feature/m-p/904947#M974663 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>A standard access-list on a router is not stateful whereas a firewall like the pix does keep state ie. </P><P></P><P>when a conversation between a two machines is setup with a firewall in between the traffic path the firewall keeps track of not just the IP address/port number but also the TCP flags that are used in the packet. </P><P></P><P>So if i initiate a connection to a server using telnet my intial packet has </P><P></P><P>Source IP address: 192.168.5.1 (my client) </P><P>source port: 23467 ( random generated port) </P><P>destination IP address: 172.16.10.1 (telnet server) </P><P>destination port: 23 ( telnet port ) </P><P>TCP Flag: SYN </P><P></P><P>The firewall will enter this into it's state table. </P><P></P><P>Now when the server responds </P><P></P><P>source IP address: 172.16.10.1 </P><P>source port: 23 </P><P>destination IP address: 192.168.5.1 </P><P>destination port: 23467 </P><P>TCP Flags SYN/ACK </P><P></P><P>The firewall receives this packet, checks it's state table and realises this is a return packet to the initial packet sent out by the client. </P><P></P><P>So if the above packet from the server was sent to the client, but the client had not actually sent a packet first the firewall would drop the packet because it has no entry in it's state table. </P><P></P><P>An router access-list does not keep state of the connection in the same way. It merely checks the packet against it's access-list and permits or denies it but it has no concept of "return" traffic or a packet being part of an ongoing communication.</P><P></P><P></P><P>HTH</P><P></P><P>Jon</P><P></P><P></P><P></P><P></P></BODY></HTML> Fri, 21 Sep 2007 12:20:29 GMT Jon Marshall 2007-09-21T12:20:29Z https://community.cisco.com/t5/network-security/stateful-feature/m-p/904946#M974661 <P>Hi,</P><P></P><P> What is a stateful feature in PIX firewall ? What is the difference between router access-list and pix access-list ?</P> Mon, 11 Mar 2019 11:14:48 GMT https://community.cisco.com/t5/network-security/stateful-feature/m-p/904946#M974661 mohanraj1 2019-03-11T11:14:48Z https://community.cisco.com/t5/network-security/stateful-feature/m-p/904947#M974663 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>A standard access-list on a router is not stateful whereas a firewall like the pix does keep state ie. </P><P></P><P>when a conversation between a two machines is setup with a firewall in between the traffic path the firewall keeps track of not just the IP address/port number but also the TCP flags that are used in the packet. </P><P></P><P>So if i initiate a connection to a server using telnet my intial packet has </P><P></P><P>Source IP address: 192.168.5.1 (my client) </P><P>source port: 23467 ( random generated port) </P><P>destination IP address: 172.16.10.1 (telnet server) </P><P>destination port: 23 ( telnet port ) </P><P>TCP Flag: SYN </P><P></P><P>The firewall will enter this into it's state table. </P><P></P><P>Now when the server responds </P><P></P><P>source IP address: 172.16.10.1 </P><P>source port: 23 </P><P>destination IP address: 192.168.5.1 </P><P>destination port: 23467 </P><P>TCP Flags SYN/ACK </P><P></P><P>The firewall receives this packet, checks it's state table and realises this is a return packet to the initial packet sent out by the client. </P><P></P><P>So if the above packet from the server was sent to the client, but the client had not actually sent a packet first the firewall would drop the packet because it has no entry in it's state table. </P><P></P><P>An router access-list does not keep state of the connection in the same way. It merely checks the packet against it's access-list and permits or denies it but it has no concept of "return" traffic or a packet being part of an ongoing communication.</P><P></P><P></P><P>HTH</P><P></P><P>Jon</P><P></P><P></P><P></P><P></P></BODY></HTML> Fri, 21 Sep 2007 12:20:29 GMT https://community.cisco.com/t5/network-security/stateful-feature/m-p/904947#M974663 Jon Marshall 2007-09-21T12:20:29Z