04-09-2015 01:28 AM - edited 03-11-2019 10:45 PM
Hi,
I'm just playing around with a few ASA's and wondering what allows return HTTP traffic into the firewall? Also, what other traffic is allowed by default like HTTP?
Traffic is originating from a higher security interface (inside, 100) to a lower security interface (outside, 0). There is no ACL's applied on any interfaces.
I'm asking because ICMP doesn't work unless inspection is turned on (service-policy global_policy global).
Thanks for any help.
Solved! Go to Solution.
04-09-2015 04:15 AM
Firewalls like the ASA are stateful so for TCP and UDP (although with UDP state is handled a little differently) if traffic is allowed one way it is automatically allowed back.
So when a connection is initiated, if it is allowed through the firewall an entry is made in the state table and when the return packet arrives at the firewall if there is a matching entry the traffic is allowed and there is no acl check.
The entry is made on source and destination IP and port numbers, and for TCP it also used the connection flags.
ICMP doesn't use ports so originally it could not be treated statefully and you had to allow it back in with an acl (if traffic was from lower to higher security level).
But then stateful inspection was added for ICMP as well but you still need to enable it unlike TCP and UDP.
Jon
04-09-2015 04:15 AM
Firewalls like the ASA are stateful so for TCP and UDP (although with UDP state is handled a little differently) if traffic is allowed one way it is automatically allowed back.
So when a connection is initiated, if it is allowed through the firewall an entry is made in the state table and when the return packet arrives at the firewall if there is a matching entry the traffic is allowed and there is no acl check.
The entry is made on source and destination IP and port numbers, and for TCP it also used the connection flags.
ICMP doesn't use ports so originally it could not be treated statefully and you had to allow it back in with an acl (if traffic was from lower to higher security level).
But then stateful inspection was added for ICMP as well but you still need to enable it unlike TCP and UDP.
Jon
04-09-2015 05:51 AM
I see, so will all TCP/UDP traffic will be allowed by default? Except protocols that use secondary channels or dynamic ports, which still have to be inspected?
Thanks again.
04-09-2015 05:57 AM
For TCP and UDP if there is an existing entry in the state table then yes traffic will be allowed without an acl check.
In terms of applications that can use secondary connections, embedded IPs etc. there are additional bits of code added to the ASA ie. the inspect code which allows the ASAs to look a bit further into the packet and record certain information so for example with a secondary connection it can dynamically open that port rather than having to allow all ports.
Not all applications are covered obviously but the more common ones are.
Jon
04-09-2015 06:30 AM
Thanks Jon.
04-02-2019 09:23 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide