Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
0
Helpful
3
Replies

ASA and statefull filtering

Go to solution
mahesh18
Level 6
Level 6

‎04-28-2013 10:32 AM - edited ‎03-11-2019 06:36 PM

Hi everyone,

I read that ASA  by default do statefull filtering for TCP and UDP packets.

If user access internet website then return traffic is allowed from the internet.

Curious to know what config in ASA  allows statefull filtering ?

Or does ASA support statefull filtering in hardware?

Thanks

MAhesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎04-28-2013 11:02 AM

Hi,

You've got nothing special to configure: traffic from ahigh security level inteface can pass through the ASA and return traffic is permitted based on the state table that the ASA built. By default this is only for TCP and UDP but if you inspect ICMP then it will also work for ICMP.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-28-2013 11:04 AM

Hi Mahesh,

ASA does this by default without any certain configuration on it.

It for example allows return traffic for already formed flows/connections through it. On the other hand ofcourse if the ASA sees traffic that seems to be part of some connection but the ASA doesnt have an existing flow for it, it denies the traffic. A stateless device/firewall would have simply allowed the same connection through.

When you add ASAs Inspections to this you will get more control of certain applications.

For example "inspect ftp" enables the ASA to handle the secondary Data connection that is formed after the original Control connection is formed. Then theres for example "inspect dns" which control the DNS messages through the ASA firewall. Then theres for example ICMP inspection which allows the replies to ICMP Echo messages sent by the host behind ASA automatically.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎04-28-2013 11:02 AM

Hi,

You've got nothing special to configure: traffic from ahigh security level inteface can pass through the ASA and return traffic is permitted based on the state table that the ASA built. By default this is only for TCP and UDP but if you inspect ICMP then it will also work for ICMP.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-28-2013 11:04 AM

Hi Mahesh,

ASA does this by default without any certain configuration on it.

It for example allows return traffic for already formed flows/connections through it. On the other hand ofcourse if the ASA sees traffic that seems to be part of some connection but the ASA doesnt have an existing flow for it, it denies the traffic. A stateless device/firewall would have simply allowed the same connection through.

When you add ASAs Inspections to this you will get more control of certain applications.

For example "inspect ftp" enables the ASA to handle the secondary Data connection that is formed after the original Control connection is formed. Then theres for example "inspect dns" which control the DNS messages through the ASA firewall. Then theres for example ICMP inspection which allows the replies to ICMP Echo messages sent by the host behind ASA automatically.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎04-28-2013 11:19 AM

Hi Alain & Jouni,

Thanks again for clearing my concepts.

Best regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card