ASA Transparent Mode - Stateful Inspection

scollinson · ‎01-11-2012

Hi Community,

I would appreciate any input other may be able to provide on the behaviour of ASA when in Transparent mode.

I have a few scenarios and am looking to confirm stateful inspection behaviour for.

By default I shall block all traffic.

1 - Flow initiated Inside to outside (Higher to Lower security interface)

- Rule on inside

2 - Flow Initiated Outside to Inside (Lower to Higher security interface)

- Rule on Outside

- Appears to require rule on inside to allow response - No Stateful inspection

3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)

- Rule on inside + App inspection

4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)

- Rule on outside + App Inspection

- Appears to require rule on inside to allow response - No Stateful Inspection

The references guide could do with some clarification around transparent behaviour.

Many thanks

Julio Carvajal · ‎01-11-2012

Hello,

For flow innitiated on the inside to the outside you do not need an acl on the outside for the returning traffic, that is the main idea of the stateful inspection.

As soon as you do not have any ACLs applied to the inside interface this will be like this:

1 - Flow initiated Inside to outside (Higher to Lower security interface)

2 - Flow Initiated Outside to Inside (Lower to Higher security interface)

- Rule on Outside

- Appears to require rule on inside to allow response - No Stateful inspection

3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)

App inspection

4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)

- Rule on outside + App Inspection

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

scollinson · ‎01-11-2012

Thanks for the quick response.

As you will see in the test I posted, I do not propose to have acl on the outside to allow return flow for inside (higher security level) initiated traffic.

I use acl on inside (higher) because I want to control exactly what traffic egresses the device. If there is no acl on inside by default all IP unicast traffic will be allowed

Are you saying, with authority, stateful inspection only works for flows from higher to lower security level interfaces in transparent mode?

Many thanks.

Julio Carvajal · ‎01-11-2012

Hello,

Nooop, What I mentioned is the default behavior of the ASA as long as you do not have an ACL on the inside.

You can do stateful inspection from the lower security level to the higher security level, as long as you have an ACL on the outside allowing the connection!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

scollinson · ‎01-11-2012

I agree, that is what one might expect.

It does not however seem to be operating in this manner.

Running 8.4.2-K8

Julio Carvajal · ‎01-11-2012

Hello,

Can you be more specific so we can help, from witch interface to the other one is not working, witch protocol is the one with the problem or is all trafic traversing the transparent mode?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

scollinson · ‎01-11-2012

Thanks,

I have raised a TAC case. Are you in TAC?

Steve

Julio Carvajal · ‎01-12-2012

Hello,

Yes I am in tac, In fact one of my co-workers has the case.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

scollinson1 · ‎01-12-2012

Thanks for the info Julio. Another great example of Cisco coming across as a close nit organisation.

Julio Carvajal · ‎01-13-2012

Hello,

My pleasure,

As soon as you have any resolution from our team you can update this ticket so other people with the same issue can learn from here,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC