Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
26803
Views
10
Helpful
5
Replies

ASA - What is allowing return HTTP traffic?

Go to solution
Gregor Blaj
Level 1
Level 1

‎04-09-2015 01:28 AM - edited ‎03-11-2019 10:45 PM

Hi,

I'm just playing around with a few ASA's and wondering what allows return HTTP traffic into the firewall? Also, what other traffic is allowed by default like HTTP?

Traffic is originating from a higher security interface (inside, 100) to a lower security interface (outside, 0). There is no ACL's applied on any interfaces.

I'm asking because ICMP doesn't work unless inspection is turned on (service-policy global_policy global).

Thanks for any help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-09-2015 04:15 AM

Firewalls like the ASA are stateful so for TCP and UDP (although with UDP state is handled a little differently) if traffic is allowed one way it is automatically allowed back.

So when a connection is initiated, if it is allowed through the firewall an entry is made in the state table and when the return packet arrives at the firewall if there is a matching entry the traffic is allowed and there is no acl check.

The entry is made on source and destination IP and port numbers, and for TCP it also used the connection flags.

ICMP doesn't use ports so originally it could not be treated statefully and you had to allow it back in with an acl (if traffic was from lower to higher security level).

But then stateful inspection was added for ICMP as well but you still need to enable it unlike TCP and UDP.

Jon

View solution in original post

5 Replies 5

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-09-2015 04:15 AM

Firewalls like the ASA are stateful so for TCP and UDP (although with UDP state is handled a little differently) if traffic is allowed one way it is automatically allowed back.

So when a connection is initiated, if it is allowed through the firewall an entry is made in the state table and when the return packet arrives at the firewall if there is a matching entry the traffic is allowed and there is no acl check.

The entry is made on source and destination IP and port numbers, and for TCP it also used the connection flags.

ICMP doesn't use ports so originally it could not be treated statefully and you had to allow it back in with an acl (if traffic was from lower to higher security level).

But then stateful inspection was added for ICMP as well but you still need to enable it unlike TCP and UDP.

Jon

Go to solution
Gregor Blaj
Level 1
Level 1
In response to Jon Marshall

‎04-09-2015 05:51 AM

I see, so will all TCP/UDP traffic will be allowed by default? Except protocols that use secondary channels or dynamic ports, which still have to be inspected?

Thanks again.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Gregor Blaj

‎04-09-2015 05:57 AM

For TCP and UDP if there is an existing entry in the state table then yes traffic will be allowed without an acl check.

In terms of applications that can use secondary connections, embedded IPs etc. there are additional bits of code added to the ASA ie. the inspect code which allows the ASAs to look a bit further into the packet and record certain information so for example with a secondary connection it can dynamically open that port rather than having to allow all ports.

Not all applications are covered obviously but the more common ones are.

Jon

Go to solution
Gregor Blaj
Level 1
Level 1
In response to Jon Marshall

‎04-09-2015 06:30 AM

Thanks Jon.

0 Helpful

Go to solution
naitikchaitanya
Level 1
Level 1
In response to Jon Marshall

‎04-02-2019 09:23 PM

Agree with your poin considering that all tcp and udp traffic is allowed by default onASA , but then why do we inspect ftp ?
Ftp also works on tcp port 21 right ?
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card