05-17-2019 05:41 AM - edited 02-21-2020 09:08 AM
Good Morning,
I have a general question related to how ASA's work. I'm pretty sure I know the answer to my own question but another engineer said something the other day with such confidence I just want to make sure. My background is in networking not necessarily security so I want to make sure there isn't something I'm missing. Long story short I have recently gained responsibility for the ASA's on site. I have been going through and trying to clean up extra rules, routes, etc. I made a comment to a senior engineer that one of our security contexts need major overhaul because bi-directional routes are not in place therefore this traffic will never flow.
In an effort to explain the theory lets say you have PC A connected to ASA1 and PC B is connected to ASA2. The ASA's are interconnected and PC A is attempting to communicate to PC B. ASA1 has routes to reach PC B however ASA2 does not have routes to reach PC-A. According to the engineer the session will still establish because ASA-B will track the what interface the session comes in on and send that traffic back down that interface towards PC-A even though it doesn't have a route for that subnet in it's table. Is this right? I don't see how it would be, yes stateless firewalls will track sessions but that's a separate process from route lookups. If you don't have routes in place then the traffic should get dropped.
1.1.1.2 1.1.1.1 2.2.2.2 2.2.2.1 3.3.3.1 3.3.3.2
PC-A-------------ASA1-------------ASA2------------PC-B
05-17-2019 07:15 AM
Your theory and explanation is correct. (until you doing some where NAT)
In routing concept. if the device not connected directly and do not have destination route how will the routing knows where to send the packet ?
05-17-2019 07:21 AM - edited 05-17-2019 08:06 AM
Hello,
After have a test, I don't agree with it..
>>> "ASA1 has routes to reach PC B however ASA2 does not have routes to reach PC-A."
The RPF seems not enabled by default on ASA, you can check by 'show run | inc ip verify'.
Therefore, the traffic still be allowed even through there is no route back to the source. (Given that the traffic has allowed by access-list).
Of course, without return route, the TCP traffic will never established. But for the UDP traffic (as well as the TCP SYN packet), it will pass.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_protect.html
Best,
Ngkin
05-17-2019 10:41 AM
That's what I thought. Even though session wise the firewall could know what interface it received the initial traffic on it wouldn't automatically forward out that same interface unless it had a route for that subnet stating to do so. Appreciate the feedback
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide