Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1651
Views
0
Helpful
2
Replies

How does MPF framework on ASA

Go to solution
brano1982
Level 1
Level 1

‎03-26-2020 04:33 AM

Hello

My question is more theoretical than practical. I try to study content of CCNA/CCNP Security certification on my own and I don't get one thing regarding the ASA and Modular Policy Framework.
I saw one CCNP CBT nugget video when guy showed us in ASDM basic ASA MPF settings with default class maps, policy maps and etc..
And there was not HTTP included in the list of the protocols to be inspected in default policy map but he could reach the web site on the Internet from the PC which was connected to the INSIDE interface of that ASA. Connection to the Internet was from the OUTSIDE of course. I would say that this wouldn't work as this traffic initiated from the INSIDE wasn't inspected and therefore the reply from the webserver wouldn't be allowed and denied on the OUTSIDE interface. Correct me if I am wrong.
The he tried to ping 8.8.8.8 from the INSIDE but it didn't work and he explained like the ICMP was not inspected and therefore the echo-reply message was not allowed on the OUTSIDE interface.
What am I missing please?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-26-2020 05:27 AM

Hi,

 

    TCP and UDP flows are inspected by design, non-configurable, it doesn't matter if you have MPF configured and applied, or what have you configured in MPF. So ICMP did not work until the ASA was told to track on the state of ICMP traffic (not all types of ICMP, just Query Type ICMP messages) as a stateful firewall would do. The HTTP session worked without HTTP inspection, because HTTP in the end rides over TCP, so the ASA considered it to be an TCP Session.

   With MPF, you can add the following to the baseline of TCP/UDP inspection:

        - inspection of additional supported layer 3 protocols (like ICMP and ESP for example), in order to allow return traffic automatically, thus behave as a stateful firewall (session state has to do with the layer3/layer4 headers)

        - inspection of L4-L7 headers (not really DPI as you don't investigate the payload, just the headers), in order to perform additional restrictions or raid the security level (like inspecting HTTP traffic to disallow access to a certain URL, or inspecting SMTP traffic in order to forbid some commands at SMTP level due to a newly discovered vulnerability); L4-L7 inspection is not about state, cause there is no state, it's about inspecting higher level headers

 

Regards,

Cristian Matei.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-26-2020 05:27 AM

Hi,

 

    TCP and UDP flows are inspected by design, non-configurable, it doesn't matter if you have MPF configured and applied, or what have you configured in MPF. So ICMP did not work until the ASA was told to track on the state of ICMP traffic (not all types of ICMP, just Query Type ICMP messages) as a stateful firewall would do. The HTTP session worked without HTTP inspection, because HTTP in the end rides over TCP, so the ASA considered it to be an TCP Session.

   With MPF, you can add the following to the baseline of TCP/UDP inspection:

        - inspection of additional supported layer 3 protocols (like ICMP and ESP for example), in order to allow return traffic automatically, thus behave as a stateful firewall (session state has to do with the layer3/layer4 headers)

        - inspection of L4-L7 headers (not really DPI as you don't investigate the payload, just the headers), in order to perform additional restrictions or raid the security level (like inspecting HTTP traffic to disallow access to a certain URL, or inspecting SMTP traffic in order to forbid some commands at SMTP level due to a newly discovered vulnerability); L4-L7 inspection is not about state, cause there is no state, it's about inspecting higher level headers

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
brano1982
Level 1
Level 1
In response to Cristian Matei

‎03-27-2020 03:48 AM

Thank you Cristian, this helped me a lot and clarified everything.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card