cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


10293
Views
5
Helpful
7
Replies
Beginner

ASA State Table

I had a question about the ASA's state table. I may be overthinking this!

When going from a higher security level to a lower security level, the ASA keeps track of the state of the connections, which you can see by 'show conn'.

However, whenever you poke holes from, say, the outside to the DMZ, I have read that is supposed to bypass the state table and just allow packets through, but when I do a 'show conn' I can see the connection in the results that have been initiated from a lower security level to a higher one. It seems like the ASA is still recording the sessions. So do those packets go into the state table of the ASA? Why would I see them linger around if they do not?

I do not have any policy maps inspecting these packets from the outside to the dmz.

Thanks!!!

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Mentor

ASA State Table

Hi,

It shouldnt matter from where the connection is formed.

With regards to TCP Connections the ASA builds a connection as soon as it sees a TCP SYN which is also allowed through the firewall. Naturally how long the connection stays on the ASA depends on multiple factors.

For UDP the ASA builds the connection also if the traffic is allowed through the firewall. Though as the UDP connection doesnt really have a state like a TCP connection it means that the UDP connection stays in the ASAs connection table as long as its not idle for too long.

- Jouni

7 REPLIES 7
Mentor

ASA State Table

Hi,

It shouldnt matter from where the connection is formed.

With regards to TCP Connections the ASA builds a connection as soon as it sees a TCP SYN which is also allowed through the firewall. Naturally how long the connection stays on the ASA depends on multiple factors.

For UDP the ASA builds the connection also if the traffic is allowed through the firewall. Though as the UDP connection doesnt really have a state like a TCP connection it means that the UDP connection stays in the ASAs connection table as long as its not idle for too long.

- Jouni

Rising star

ASA State Table

Basic information that you need to know to understand how connections work through the ASA:

ASA TCP Connection Flags (Connection build-up and teardown)

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bcad00.shtml

You need to know this to understand in the state the connection is at on the firewall:

timeout settings:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870

Understanding xlate and conn idle and timeout values through example

https://supportforums.cisco.com/docs/DOC-21948

Value our effort and rate the assistance!
Beginner

Re: ASA State Table

Hi, 

 

So to confirm we do not see UDP states in the state table right? 

 

I am not too sure, what you mean by UDP connection stays. Can you please explain me that? 

Frequent Contributor

Re: ASA State Table

ASA acts like a firewall so each and every packet needs to be inspected.

 

UDP also gets present on the conn table

UDP outside  5.5.22.14:40012 inside  10.22.20.5:44509, idle 0:02:01, bytes 156, flags X 

 

You can also read more, here.

Furthermore, here's some extra UDP connection state related info.

Beginner

Re: ASA State Table

Hi Florin, 

 

Thanks for the explanation. 

Beginner

Re: ASA State Table

I know what you are saying. I am having a difficult time as well understanding where exactly is the setting that applies TCP and UDO statefull tracking. By default, ASA tracks UDP and TCP. I have read this statement in a milltion places, and yet not one has mentioned where this setting is defined. I know from reading many sources that ICMP tracking and inspection can be turned on using the "inspect ICMP" command under the default class in the default global group policy, but I really don't get it. If ICMP can be turned on, then why cant I use the same logic and turn on TCP and UDP inspection?

Highlighted
Frequent Contributor

Re: ASA State Table

My opinion is that you need to be more specific on either TCP or UDP as each have a myriad of ports available.
So you can select from each protocol, what port to inspect: HTTP, DNS, SMTP..........