Re: PIX ASA question

vmolinaro · ‎07-13-2004

Hi,

Wondering is someone could help me understand the following.

The ASA has defined rules for which it determines whether to deny or permit incoming packets.

My understanding is that the ASA tracks the 3 way TCP handshake to the point where is knows which interface the initial TCP SYN originated from and then follows it through to completion. Only after the 3 way handshake is complete does the translation/connecton become secured in the state table. After this the packets are allowed to transverse the firewall.

My question is, what happens when the ASA receives a TCP packet that does not belong to a secure session (i.e. it's the first incoming packet) but has other TCP flags set such as FIN, RST, ACK? What does ASA do? Assuming that it hits a permit ACL, does it pass it through to the target (protected) host? Or does it drop the packet becuase it is not a part of a valid connection and also becuase it is not an intial TCP SYN?

Any help would be great appreciated.

Thanks

jmia · ‎07-14-2004

Hi,

Here is my understanding of how the PIX ASA works:

1. A packet is entering an interface and PIX evaluates the security level for the source and destination interfaces. A low-to-high is allowed only if there is an access-list/conduit that allows the connection and a high-to-low is allowed by default unless a specific access-list/outbound denies it.

2. The packet enters is checked against the statefull session table. If it is part of an already established flow is passed forward in order to be routed out and eventually translated if specified.

If the packet is identified as part of a new session it is checked against the access-list applied to the inbound interface (or against the conduits for versions earlier than 6.3)

3. As the packet passed the inbound security check is passed to ASA that performs the inbound network translation (destination NAT).

4. ASA creates an entry in the statefull session table and the timers are started for that session. The packet gets routed out to the interface designated by the routing table.

5. At the exit interface eventual source translation is performed - if specified by using global statements and nat groups

6. The packet is delivered out to the next hop router or to the final destination if it is present in the local firewall’s subnets.

Hope this helps,

Jay

vmolinaro · ‎07-14-2004

Hi Jay, thanks for the reply.

Any idea on what happens in relation to Paragraph 2 of my posting?

jmia · ‎07-14-2004

If a translation (xlate) is not part of an established session then it will be ‘quietly’ dropped. How long ASA keeps the translations in it’s table can be controlled by the ‘timeout xlate command’.

Hope this answers your question and let me know.

Jay

jmia · ‎07-14-2004

Hi,

Forgot to add the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/intro.htm#xtocid3

The above explains further on how ASA works on the PIX.

Jay

rokp · ‎07-14-2004

PIX configured with access-list that permits tcp/21 to 1.2.3.4. When I try to send RST packet to that port with hping2 --rst 1.2.3.4 -p 21, PIX denies the packet and generates the following message:

%PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1610 to 1.2.3.4/21 flags RST on interface outside

So I would say that PIX drops such packets, even though access-list would permit (regular, with appropriate 3-way handshake) connection.

Regards,

ROK

vicdean · ‎08-07-2004

.