cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17613
Views
10
Helpful
5
Replies

ASA - What is allowing return HTTP traffic?

Gregor Blaj
Beginner
Beginner

Hi,

I'm just playing around with a few ASA's and wondering what allows return HTTP traffic into the firewall? Also, what other traffic is allowed by default like HTTP?

Traffic is originating from a higher security interface (inside, 100) to a lower security interface (outside, 0). There is no ACL's applied on any interfaces.

I'm asking because ICMP doesn't work unless inspection is turned on (service-policy global_policy global).

Thanks for any help.

1 Accepted Solution

Accepted Solutions

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

Firewalls like the ASA are stateful so for TCP and UDP (although with UDP state is handled a little differently) if traffic is allowed one way it is automatically allowed back.

So when a connection is initiated, if it is allowed through the firewall an entry is made in the state table and when the return packet arrives at the firewall if there is a matching entry the traffic is allowed and there is no acl check.

The entry is made on source and destination IP and port numbers, and for TCP it also used the connection flags.

ICMP doesn't use ports so originally it could not be treated statefully and you had to allow it back in with an acl (if traffic was from lower to higher security level).

But then stateful inspection was added for ICMP as well but you still need to enable it unlike TCP and UDP.

Jon

View solution in original post

5 Replies 5

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

Firewalls like the ASA are stateful so for TCP and UDP (although with UDP state is handled a little differently) if traffic is allowed one way it is automatically allowed back.

So when a connection is initiated, if it is allowed through the firewall an entry is made in the state table and when the return packet arrives at the firewall if there is a matching entry the traffic is allowed and there is no acl check.

The entry is made on source and destination IP and port numbers, and for TCP it also used the connection flags.

ICMP doesn't use ports so originally it could not be treated statefully and you had to allow it back in with an acl (if traffic was from lower to higher security level).

But then stateful inspection was added for ICMP as well but you still need to enable it unlike TCP and UDP.

Jon

I see, so will all TCP/UDP traffic will be allowed by default? Except protocols that use secondary channels or dynamic ports, which still have to be inspected?

Thanks again.

For TCP and UDP if there is an existing entry in the state table then yes traffic will be allowed without an acl check.

In terms of applications that can use secondary connections, embedded IPs etc. there are additional bits of code added to the ASA ie. the inspect code which allows the ASAs to look a bit further into the packet and record certain information so for example with a secondary connection it can dynamically open that port rather than having to allow all ports.

Not all applications are covered obviously but the more common ones are.

Jon

Thanks Jon.

Agree with your poin considering that all tcp and udp traffic is allowed by default onASA , but then why do we inspect ftp ?
Ftp also works on tcp port 21 right ?
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: