Solved: Hi,This is something that

Mike Keenan · ‎04-20-2015

How does a routed mode ASA Firewall running 8.4 route a packet on the return trip? Say Host A sends a packet to Host B on the other side of the ASA and Host B responds to Host A. On the return trip (assuming NAT is not involved) does the firewall check its routing table again to determine what interface to send the packet out of or does it skip that step and forward it out the same interface it came in on in the first place?

Thanks!

Vibhor Amrodia · ‎07-09-2015

Hi,

This is something that should explain this:-

"

By default, all traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and is either allowed through or dropped based on the security policy. The ASA maximizes the firewall performance by checking the state of each packet (is this a new connection or an established connection?) and assigning it to either the session management path (a new connection SYN packet), the fast path (an established connection), or the control plane path (advanced inspection). See the "Stateful Inspection Overview" section for more detailed information about the stateful firewall.

TCP packets that match existing connections in the fast path can pass through the ASA without rechecking every aspect of the security policy. This feature maximizes performance. However, the method of establishing the session in the fast path using the SYN packet, and the checks that occur in the fast path (such as TCP sequence number), can stand in the way of asymmetrical routing solutions: both the outbound and inbound flow of a connection must pass through the same ASA.

For example, a new connection goes to ASA 1. The SYN packet goes through the session management path, and an entry for the connection is added to the fast path table. If subsequent packets of this connection go through ASA 1, then the packets will match the entry in the fast path, and are passed through. But if subsequent packets go to ASA 2, where there was not a SYN packet that went through the session management path, then there is no entry in the fast path for the connection, and the packets are dropped. Figure 51-1 shows an asymmetric routing example where the outbound traffic goes through a different ASA than the inbound traffic: "

Also , routing table is not used for the return traffic instead the connection entry which has all the interface information and we don't need the routing table.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Pranay Prasoon · ‎04-21-2015

I think below link will be useful to understand packet processing.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

Mike Keenan · ‎07-09-2015

That is great. Can you point out where it talks about the return trip???

Vibhor Amrodia · ‎07-09-2015

Hi Mike,

The complete packet flow only happens once when the packet is initially seen on the ASA device.

Once , a packet passes (SYN for TCP packet) , the return connection is handled statefully and that means will be checked on the basis of existing connections so packet flow would not take place again.

Thanks and Regards,

Vibhor Amrodia

Mike Keenan · ‎07-09-2015

Ok, so any kind of explanation of fast path and session management path might be helpful. Does the firewall route the return trip based on its routing table?

Vibhor Amrodia · ‎07-09-2015

Hi,

This is something that should explain this:-

"

By default, all traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and is either allowed through or dropped based on the security policy. The ASA maximizes the firewall performance by checking the state of each packet (is this a new connection or an established connection?) and assigning it to either the session management path (a new connection SYN packet), the fast path (an established connection), or the control plane path (advanced inspection). See the "Stateful Inspection Overview" section for more detailed information about the stateful firewall.

TCP packets that match existing connections in the fast path can pass through the ASA without rechecking every aspect of the security policy. This feature maximizes performance. However, the method of establishing the session in the fast path using the SYN packet, and the checks that occur in the fast path (such as TCP sequence number), can stand in the way of asymmetrical routing solutions: both the outbound and inbound flow of a connection must pass through the same ASA.

For example, a new connection goes to ASA 1. The SYN packet goes through the session management path, and an entry for the connection is added to the fast path table. If subsequent packets of this connection go through ASA 1, then the packets will match the entry in the fast path, and are passed through. But if subsequent packets go to ASA 2, where there was not a SYN packet that went through the session management path, then there is no entry in the fast path for the connection, and the packets are dropped. Figure 51-1 shows an asymmetric routing example where the outbound traffic goes through a different ASA than the inbound traffic: "

Also , routing table is not used for the return traffic instead the connection entry which has all the interface information and we don't need the routing table.

Thanks and Regards,

Vibhor Amrodia

ASA Routing Conundrum