Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
7119
Views
40
Helpful
8
Replies

How the firewall handles return traffic

w1ll1ambarr
Level 1
Level 1

‎03-26-2019 07:57 AM

Hello All,

Please ignore my ignorance as I tried to wrap my head around this question lingering in my mind.

This is more of a query on how the Cisco firewall handles return traffic when an 'any any' policy is in place. The traffic is originating from a higher security known port 5060, 443, 22, 80 to a lower security destination. Based on my understanding, the return traffic should be allowed due to the permit ip any any rule in place. 

Thanks

Will

Labels:
0 Helpful
8 Replies 8

Deepak Kumar
VIP Alumni
VIP Alumni

‎03-26-2019 08:33 AM

Hi,

Where and how to apply this ANY ANY policy? What is your configuration? 

Here is the Cisco ASA packet flow:

 

 

packet-flow-through-asa.png

 

 

 

 

 

 

 

 

 

 

 

 

 

I hope it will help you to understand.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Rob Ingram
VIP
VIP

‎03-26-2019 09:41 AM

Hi, The ASA is a stateful firewall, it keeps track of the connections going through the firewall. So if traffic was permitted from inside to outside and the conection is in the state table (an existing connection) the return traffic would be permitted.

HTH

w1ll1ambarr
Level 1
Level 1

‎03-26-2019 11:59 AM

Hello, Thanks for your detailed reply. Another question I have regarding sip inspection. By default, I can see that 

sip is being inspected by the firewall. See global policy-map below.

 

policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect esmtp

  inspect sip
  inspect sqlnet
  inspect tftp
  inspect xdmcp
  inspect http

 

Should sip port 5060 be already opened by the firewall based on it's statefullness? Or I still have to open port 5060 to allow sip traffic from the CUCM to the endpoint?

 

Appreciate, any light that you can shed on this.

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to w1ll1ambarr

‎03-26-2019 02:59 PM

on your sip question: NO

 

that is not what sip inspection does. so you would need to explicitly allow SIp based on port 5060. once SIP is permitted, sip inspection will look inside the packet and more specifically in the SDP packet contained within sip. based on this, it will dynamically allow ports for RTP. this way you dont need to open thousands of ports for the purpose of allowing video and voice across your FW

Please remember to rate useful posts, by clicking on the stars below.

Deepak Kumar
VIP Alumni
VIP Alumni
In response to w1ll1ambarr

‎03-26-2019 07:40 PM

Hi,
You have to explicitly allow SIp based on port 5060

Regards.
Deepak Kumar
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

w1ll1ambarr
Level 1
Level 1
In response to Deepak Kumar

‎03-29-2019 05:23 AM

Hello Deepak,

Thanks for your comment. But wanted to clarify as I thought that due to the
statefullness of the sip traffic, if the UCCM initiated the session port
5060 will be automatically open or allowed. Please see below output and
keep me honest.

ASA4# sh run all | in sip
object service tcp-sip pre-defined
service tcp destination eq sip
object service tcp-udp-sip pre-defined
service tcp-udp destination eq sip
object service udp-sip pre-defined
service udp destination eq sip
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
policy-map type inspect sip _default_sip_map
traffic-non-sip

ASA4# sh run all | in sip
object service tcp-sip pre-defined
service tcp destination eq sip
object service tcp-udp-sip pre-defined
service tcp-udp destination eq sip
object service udp-sip pre-defined
service udp destination eq sip
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
policy-map type inspect sip _default_sip_map
traffic-non-sip

Do I still have to allo sip port despite that it's already pre-defined by
the default
ASA configuration?

Appreciate greatly all your input and help.

Regards,
William
0 Helpful

John-Finnegan
Level 1
Level 1
In response to w1ll1ambarr

‎03-29-2019 12:15 PM

Those are the configurations in relation to SIP and what to do with the SIP traffic once permitted. The ASA inherently blocks traffic, unless no ACL is applied and you are going from a higher security zone to a lower security zone.

 

If SIP is not explicitly permitted in the ACL then this traffic would not be permitted through the Firewall.

 

You would need, for example:

 

access-list INSIDE permit udp any any eq sip

 

If the INSIDE acl was applied to your Internal segment on the ASA, this would allow SIP traffic from your Internal Segment through the ASA. The other options you see in your output are now how to handle this traffic, such as Idle Timeout or confirming that it is in fact SIP traffic before permitting the traffic etc.

Deepak Kumar
VIP Alumni
VIP Alumni
In response to w1ll1ambarr

‎03-29-2019 12:51 PM

Hi,

Check this document: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-voicevideo.html

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
Review Cisco Networking for a $25 gift card
Top