Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
5
Replies

how to make tcp have establish option's function or reflexive in ASA like icmp have echo reply

Go to solution
martlee2
Cisco Employee
Cisco Employee

‎02-19-2015 07:10 PM - last edited on ‎03-25-2019 05:55 PM by Community Manager

how to make tcp have establish option's function or reflexive in ASA like icmp have echo reply

rather than permit tcp in both side

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-19-2015 07:37 PM

An ASA firewall is stateful.

The reflexive access for TCP connections (or UDP flows) is allowed by default as the firewall checks for established connections prior to applying an access-list on traffic that arrives at an interface.

Excerpted from this document (emphasis mine):

"Here are the individual steps in detail:

  1. Packet is reached at the ingress interface.

  2. Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.

  3. Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.

    If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged."

 

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-19-2015 07:37 PM

An ASA firewall is stateful.

The reflexive access for TCP connections (or UDP flows) is allowed by default as the firewall checks for established connections prior to applying an access-list on traffic that arrives at an interface.

Excerpted from this document (emphasis mine):

"Here are the individual steps in detail:

  1. Packet is reached at the ingress interface.

  2. Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.

  3. Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.

    If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged."

 

 

0 Helpful

Go to solution
martlee2
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎02-20-2015 01:41 AM

tonight i will go back office to verify this lab before clicking correct answer

does it mean that it can remove permit tcp in outside in direction and keep permit tcp in inside in direction , then the inside router use tcp can still pass through ASA such as using telnet?

why icmp do not have default?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to martlee2

‎02-20-2015 02:58 PM

You're asking about an ASA or a router?

On an ASA the default policy is to allow all traffic from the inside (high security) to the outside (low security) interface. No access-list is needed on either side.

We only need to add access-lists when restricting outbound traffic or allowing non-default inbound traffic (originated from outside hosts).

0 Helpful

Go to solution
martlee2
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎02-20-2015 04:22 PM

after tried again,

i can remove 

access-list 200 permit tcp 192.168.4.8 255.255.255.255 192.168.2.3 255.255.255.255

in outside in direction in order to ping from inside to outside in initial setup

 

it has to keep 

access-list 100 permit tcp 192.168.2.3 255.255.255.255 192.168.4.8 255.255.255.255

in inside in direction

 

conf t
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.2.25 255.255.255.0
no shutdown
end
conf t
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 192.168.4.9 255.255.255.0
no shut
end
conf t
access-list 100 permit icmp 192.168.2.3 255.255.255.255 192.168.4.8 255.255.255.255 echo log

access-list 100 permit tcp 192.168.2.3 255.255.255.255 192.168.4.8 255.255.255.255
access-group 100 in interface inside
end
conf t
access-list 200 extended permit icmp 192.168.4.8 255.255.255.255 192.168.2.3 255.255.255.255 echo-reply log
access-group 200 in interface outside
end
conf t
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
end

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to martlee2

‎02-21-2015 06:46 AM

As I mentioned earlier, there is an implicit "allow any any" from inside to outside (high to low) interfaces on an ASA. As soon as you apply any access list on the inside interface that change to an implicit "deny any any" at the end of the ACL.

Thus when there is any access-list on an interface, anything not explicitly allowed will be forbidden (except in the case of existing connections). 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card