04-28-2013 10:32 AM - edited 03-11-2019 06:36 PM
Hi everyone,
I read that ASA by default do statefull filtering for TCP and UDP packets.
If user access internet website then return traffic is allowed from the internet.
Curious to know what config in ASA allows statefull filtering ?
Or does ASA support statefull filtering in hardware?
Thanks
MAhesh
Solved! Go to Solution.
04-28-2013 11:02 AM
Hi,
You've got nothing special to configure: traffic from ahigh security level inteface can pass through the ASA and return traffic is permitted based on the state table that the ASA built. By default this is only for TCP and UDP but if you inspect ICMP then it will also work for ICMP.
Regards
Alain
Don't forget to rate helpful posts.
04-28-2013 11:04 AM
Hi Mahesh,
ASA does this by default without any certain configuration on it.
It for example allows return traffic for already formed flows/connections through it. On the other hand ofcourse if the ASA sees traffic that seems to be part of some connection but the ASA doesnt have an existing flow for it, it denies the traffic. A stateless device/firewall would have simply allowed the same connection through.
When you add ASAs Inspections to this you will get more control of certain applications.
For example "inspect ftp" enables the ASA to handle the secondary Data connection that is formed after the original Control connection is formed. Then theres for example "inspect dns" which control the DNS messages through the ASA firewall. Then theres for example ICMP inspection which allows the replies to ICMP Echo messages sent by the host behind ASA automatically.
- Jouni
04-28-2013 11:02 AM
Hi,
You've got nothing special to configure: traffic from ahigh security level inteface can pass through the ASA and return traffic is permitted based on the state table that the ASA built. By default this is only for TCP and UDP but if you inspect ICMP then it will also work for ICMP.
Regards
Alain
Don't forget to rate helpful posts.
04-28-2013 11:04 AM
Hi Mahesh,
ASA does this by default without any certain configuration on it.
It for example allows return traffic for already formed flows/connections through it. On the other hand ofcourse if the ASA sees traffic that seems to be part of some connection but the ASA doesnt have an existing flow for it, it denies the traffic. A stateless device/firewall would have simply allowed the same connection through.
When you add ASAs Inspections to this you will get more control of certain applications.
For example "inspect ftp" enables the ASA to handle the secondary Data connection that is formed after the original Control connection is formed. Then theres for example "inspect dns" which control the DNS messages through the ASA firewall. Then theres for example ICMP inspection which allows the replies to ICMP Echo messages sent by the host behind ASA automatically.
- Jouni
04-28-2013 11:19 AM
Hi Alain & Jouni,
Thanks again for clearing my concepts.
Best regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide