CBAC is IOS firewall in order to enable stateful inspection.

ASA itself is enabled with stateful inspection feature.

Hi Mohit,

I have a doubt here as I am configuring an ASA at the moment. The very basic configuration comes with filters from less security level to higher security level interfaces. only traffic from higher security level to lower security inspected is allowed, i.e. by default icmp packets are not inspected so ping will fail from inside network to dmz network.

Problem comes when you want to start doing more than the default firewalling and you add an ACL to create an exception, just for testing purposes I created an ACL from inside to dmz to allow icmp packets, by the implicit deny everything else will be discarted. My surprise is that once you create an ACL the inspection is not working anymore, and even not having icmp protocol inspected in the policy rule, ping is allowed whereas with the original config, ping is denied if is not inspected.

Why are you saying ASA itself is enabled with stateful inspection? I expected even having the ACL enabling icmp the packets would be dropped as they are not inspected, otherwhise:

Aren't we coming back around 15 years ago with the ACL only filtering?

Why the security levels if the most simple ACL removes them all?

Am I missing something?

Thanks,

Juan

Hi,

Problem comes when you want to start doing more than the default  firewalling and you add an ACL to create an exception, just for testing  purposes I created an ACL from inside to dmz to allow icmp packets, by  the implicit deny everything else will be discarted. My surprise is that  once you create an ACL the inspection is not working anymore, and even  not having icmp protocol inspected in the policy rule, ping is allowed  whereas with the original config, ping is denied if is not inspected.

To my understanding by default ICMP will fail in the situation where you only have "security-level" in use OR you have an ACL allowing ICMP from the LAN to the WAN. To my understanding in either previously mentioned cases you need ICMP inspection to enable the Echo Reply messages to get through the firewall. Otherwise you have to allow ICMP Echo-reply on the WAN interface ACL of the ASA. So to me the ACL doesnt disable the inspection even if you allow the ICMP traffic on the ACL of the LAN interface.

Its been my understanding that the "security-level" value plays a role in simple network implementations but is not really used in any more complex setups as its logic simply isnt enough to meet the needs of those.

But at some point you are still going to want to limit some connections that should go through the firewall. For example limit SMTP, DNS, FTP, HTTP, Backup traffic, etc to certain destination services and that is when you need ACLs to control the traffic.

Going only with the "security-level" you are really limited to access rules that work with the logic "Allow everything or Deny everything" which isnt really usefull in the environments that I manage for example.

Using the ACL on the interface doesnt to my understanding mean that ASA will simply forget the state of the connections. For example for TCP connections it should still expect the TCP negotiation to go through the normal steps. It also expects that if traffic comes to the firewall which is supposedly part of an existing connection THAT the ASA indeed has the information of that connection in its connection/xlate table or it will simply block this traffic. To my understanding a simple Router wont care about this (though there is the "established" parameter)

I am not sure about the history if the "security-level". But to be honest for me it doesnt mean much when configuring the firewall. Most of the time it seems to be the cause of a problem for some users that dont know how the different interfaces with varying "security-level" handle traffic between them. You will still need other condifurations to allow traffic to enter and leave the same interface and also traffic to go through if the source/destination interfaces have equal "security-level"

- Jouni

Hi Jouni thanks for quick reply,

That was my initial thought, I am new in the ASA world, so my impression was that ACL was evaluated first, then if traffic is allowed the inspection takes place, but as said that is what I did and what confused me:

• inside zone (security level 100) ping to dmz zone (security level 50) --- >  with icmp in the global inspection rule ok, packet dropped otherwise.
  

• ACL to allow icmp from inside zone to dmz --> packet allowed no matters if icmp protocol is inspected or not, pings always succeed.
  

my question is am I missing something? I thought inspection default with global policy map was always applied... I expected ping being dropped. I am using asdm packet-tracer tool to check the conectivity...

Thanks again,

Juan

Hi,

Example from my own home ASA

LAN (100) and WLAN (50) interface

LAN interface has an ACL that permits all traffic

WLAN interface doesnt have any ACL, just the "security-level"

• While ICMP Inspection is enabled, ICMP from LAN to WLAN host goes through both directions
• While ICMP Inspection is disabled, ICMP from LAN is allowed but ICMP Echo reply isnt allowed through the WLAN interface because ICMP Inspection is disabled.

So the correct is either to allow ICMP on the WLAN interface with an ACL or enable the ICMP Inspection again.

To my understanding if there is no ACL on the destination interface and ICMP inspection is not enabled the ICMP Echo should get blocked.

- Jouni

Your were right, with real pings traffic seems to be filtered properly, just the packet tracer only showed one direction, not the come back.

Thanks,

Juan