Solved: ASA Statefull inspection

mahesh18 · ‎10-23-2012

Hi Everyone,

I read that ASA do statefull inspection and it inspects all the contents of the packet .

Need to know which command we can use on ASA to know it is doing statefull inspection.

also is there any command that can disable the statefull feature?

Thanks

MAhesh

Julio Carvajal · ‎10-23-2012

Hello,

No way you can disable the stateful inspection, that is the whole purpose of this firewall.

Now you can check that by just sending a packet from inside to outside, if the reply packet is returned and allowed that means the stateful inspection is working.

There are additional inspections like the deep packet inspection for especific protocols and that is done via the MPF ( Modular Policy Framework)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-23-2012

Hello Mahesh18,

Exactly, by default Stateful inspection for the ICMP protocols does not happen.

To make it happen you need the fixup protocol ICMP.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-23-2012

Hello Mahesh,

Exactly, this happens because TCP and UDP stateful inspection on the ASA is on by default.

On a router if you have an ACL applied to an interface you will need to allow the reply packet, have you seen that, that is not stateful at all.

An ASA is stateful by default for some protocols and of course you can inspect traffic all the way to layer 7 if you want,

Remember to rate all of the helpful answers,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-23-2012

Hello,

No way you can disable the stateful inspection, that is the whole purpose of this firewall.

Now you can check that by just sending a packet from inside to outside, if the reply packet is returned and allowed that means the stateful inspection is working.

There are additional inspections like the deep packet inspection for especific protocols and that is done via the MPF ( Modular Policy Framework)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎10-23-2012

Hi,

When you say send the packet does it mean that i can send icmp packet from inside to outside and if reply comes

then statefull is working right?

Thanks

MAhesh

Julio Carvajal · ‎10-23-2012

Hello Mahesh18,

Exactly, by default Stateful inspection for the ICMP protocols does not happen.

To make it happen you need the fixup protocol ICMP.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎10-23-2012

Hi Julio,

Or we can confirm by opening a website and if reply comes back or in other words website opens up that also

confirms that statefull is working right?

Thanks

Mahesh

Julio Carvajal · ‎10-23-2012

Hello Mahesh,

Exactly, this happens because TCP and UDP stateful inspection on the ASA is on by default.

On a router if you have an ACL applied to an interface you will need to allow the reply packet, have you seen that, that is not stateful at all.

An ASA is stateful by default for some protocols and of course you can inspect traffic all the way to layer 7 if you want,

Remember to rate all of the helpful answers,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎10-23-2012

Hi Julio,

Many thanks again.

Regards

Mahesh

Julio Carvajal · ‎10-23-2012

Hello Mahesh,

My pleasure to help,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC