03-26-2020 04:33 AM
Hello
My question is more theoretical than practical. I try to study content of CCNA/CCNP Security certification on my own and I don't get one thing regarding the ASA and Modular Policy Framework.
I saw one CCNP CBT nugget video when guy showed us in ASDM basic ASA MPF settings with default class maps, policy maps and etc..
And there was not HTTP included in the list of the protocols to be inspected in default policy map but he could reach the web site on the Internet from the PC which was connected to the INSIDE interface of that ASA. Connection to the Internet was from the OUTSIDE of course. I would say that this wouldn't work as this traffic initiated from the INSIDE wasn't inspected and therefore the reply from the webserver wouldn't be allowed and denied on the OUTSIDE interface. Correct me if I am wrong.
The he tried to ping 8.8.8.8 from the INSIDE but it didn't work and he explained like the ICMP was not inspected and therefore the echo-reply message was not allowed on the OUTSIDE interface.
What am I missing please?
Solved! Go to Solution.
03-26-2020 05:27 AM
Hi,
TCP and UDP flows are inspected by design, non-configurable, it doesn't matter if you have MPF configured and applied, or what have you configured in MPF. So ICMP did not work until the ASA was told to track on the state of ICMP traffic (not all types of ICMP, just Query Type ICMP messages) as a stateful firewall would do. The HTTP session worked without HTTP inspection, because HTTP in the end rides over TCP, so the ASA considered it to be an TCP Session.
With MPF, you can add the following to the baseline of TCP/UDP inspection:
- inspection of additional supported layer 3 protocols (like ICMP and ESP for example), in order to allow return traffic automatically, thus behave as a stateful firewall (session state has to do with the layer3/layer4 headers)
- inspection of L4-L7 headers (not really DPI as you don't investigate the payload, just the headers), in order to perform additional restrictions or raid the security level (like inspecting HTTP traffic to disallow access to a certain URL, or inspecting SMTP traffic in order to forbid some commands at SMTP level due to a newly discovered vulnerability); L4-L7 inspection is not about state, cause there is no state, it's about inspecting higher level headers
Regards,
Cristian Matei.
03-26-2020 05:27 AM
Hi,
TCP and UDP flows are inspected by design, non-configurable, it doesn't matter if you have MPF configured and applied, or what have you configured in MPF. So ICMP did not work until the ASA was told to track on the state of ICMP traffic (not all types of ICMP, just Query Type ICMP messages) as a stateful firewall would do. The HTTP session worked without HTTP inspection, because HTTP in the end rides over TCP, so the ASA considered it to be an TCP Session.
With MPF, you can add the following to the baseline of TCP/UDP inspection:
- inspection of additional supported layer 3 protocols (like ICMP and ESP for example), in order to allow return traffic automatically, thus behave as a stateful firewall (session state has to do with the layer3/layer4 headers)
- inspection of L4-L7 headers (not really DPI as you don't investigate the payload, just the headers), in order to perform additional restrictions or raid the security level (like inspecting HTTP traffic to disallow access to a certain URL, or inspecting SMTP traffic in order to forbid some commands at SMTP level due to a newly discovered vulnerability); L4-L7 inspection is not about state, cause there is no state, it's about inspecting higher level headers
Regards,
Cristian Matei.
03-27-2020 03:48 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide