cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1853
Views
0
Helpful
3
Replies

ASA 5585 Routing confusion

kyle.ashcraft
Level 1
Level 1

Good Morning,

 

I have a general question related to how ASA's work.  I'm pretty sure I know the answer to my own question but another engineer said something the other day with such confidence I just want to make sure.  My background is in networking not necessarily security so I want to make sure there isn't something I'm missing.  Long story short I have recently gained responsibility for the ASA's on site.  I have been going through and trying to clean up extra rules, routes, etc.  I made a comment to a senior engineer that one of our security contexts need major overhaul because bi-directional routes are not in place therefore this traffic will never flow. 

 

In an effort to explain the theory lets say you have PC A connected to ASA1 and PC B is connected to ASA2.  The ASA's are interconnected and PC A is attempting to communicate to PC B.  ASA1 has routes to reach PC B however ASA2 does not have routes to reach PC-A.  According to the engineer the session will still establish because ASA-B will track the what interface the session comes in on and send that traffic back down that interface towards PC-A even though it doesn't have a route for that subnet in it's table.  Is this right?  I don't see how it would be, yes stateless firewalls will track sessions but that's a separate process from route lookups.  If you don't have routes in place then the traffic should get dropped.

 

1.1.1.2         1.1.1.1        2.2.2.2      2.2.2.1   3.3.3.1         3.3.3.2

PC-A-------------ASA1-------------ASA2------------PC-B

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

Your theory and explanation is correct. (until you doing some where NAT)

 

In routing concept. if the device not connected directly and do not have destination route  how will the routing knows where to send the packet ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

After have a test, I don't agree with it..

 

>>> "ASA1 has routes to reach PC B however ASA2 does not have routes to reach PC-A."

The RPF seems not enabled by default on ASA, you can check by 'show run | inc ip verify'.

Therefore, the traffic still be allowed even through there is no route back to the source. (Given that the traffic has allowed by access-list).

Of course, without return route, the TCP traffic will never established. But for the UDP traffic (as well as the TCP SYN packet), it will pass.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_protect.html

Best,
Ngkin

That's what I thought.  Even though session wise the firewall could know what interface it received the initial traffic on it wouldn't automatically forward out that same interface unless it had a route for that subnet stating to do so.  Appreciate the feedback

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: