Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4114
Views
0
Helpful
7
Replies

ASA Statefull inspection

Go to solution
mahesh18
Level 6
Level 6

‎10-23-2012 08:53 AM - edited ‎03-11-2019 05:12 PM

Hi Everyone,

I read that ASA  do statefull inspection and it inspects all the contents of the packet .

Need to know which command we can use on ASA  to know it is doing statefull inspection.

also is there any command that can disable the statefull feature?

Thanks

MAhesh                  

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-23-2012 10:42 AM

Hello,

No way you can disable the stateful inspection, that is the whole purpose of this firewall.

Now you can check that by just sending a packet from inside to outside, if the reply packet is returned and allowed that means the stateful inspection is working.

There are additional inspections like the deep packet inspection for especific protocols and that is done via the MPF ( Modular Policy Framework)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎10-23-2012 10:48 AM

Hello Mahesh18,

Exactly, by default Stateful inspection for the ICMP protocols does not happen.

To make it happen you need the fixup protocol ICMP.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎10-23-2012 11:03 AM

Hello Mahesh,

Exactly, this happens because TCP and UDP stateful inspection on the ASA is on by default.

On a router if you have an ACL applied to an interface you will need to allow the reply packet, have you seen that, that is not stateful at all.

An ASA is stateful by default for some protocols and of course you can inspect traffic all the way to layer 7 if you want,

Remember to rate all of the helpful answers,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-23-2012 10:42 AM

Hello,

No way you can disable the stateful inspection, that is the whole purpose of this firewall.

Now you can check that by just sending a packet from inside to outside, if the reply packet is returned and allowed that means the stateful inspection is working.

There are additional inspections like the deep packet inspection for especific protocols and that is done via the MPF ( Modular Policy Framework)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎10-23-2012 10:46 AM

Hi,

When you say send the packet does it mean that i can send icmp packet from inside to outside  and if reply comes

then statefull is working right?

Thanks

MAhesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎10-23-2012 10:48 AM

Hello Mahesh18,

Exactly, by default Stateful inspection for the ICMP protocols does not happen.

To make it happen you need the fixup protocol ICMP.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎10-23-2012 10:52 AM

Hi Julio,

Or we can confirm by opening a website and if reply comes back or in other words website opens up that also

confirms that statefull is working right?

Thanks

Mahesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎10-23-2012 11:03 AM

Hello Mahesh,

Exactly, this happens because TCP and UDP stateful inspection on the ASA is on by default.

On a router if you have an ACL applied to an interface you will need to allow the reply packet, have you seen that, that is not stateful at all.

An ASA is stateful by default for some protocols and of course you can inspect traffic all the way to layer 7 if you want,

Remember to rate all of the helpful answers,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎10-23-2012 11:29 AM

Hi Julio,

Many thanks again.

Regards

Mahesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎10-23-2012 11:34 AM

Hello Mahesh,

My pleasure to help,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card