Solved: Stateful Inspection

Mansoor Hafeez · ‎12-08-2006

Greetings

Attached is my network layout for Connectivity between Host A and Host B. These two hosts need to communicate with each other on two TCP ports 6666 and 8888 via Telco Provider IP Network.

The Telco Provider has configured their firewalls in such a way that the hosts can talk to each other via these two ports only and in both directions.All other services like PING,TRACERT etc are not allowed between these two hosts thourgh IP Network.

I have run the Port Scanner NMAP to test the ports and output shows that the connectivity is ok between these two hosts.

Now the scenario is like this, Host A will originate a session towards Host B and will use the Port 6666 as destination port.After successful session creation,at the same time the Host B will originate another session by using any arbitrary source port towards Host A and use Port 8888 as destination port.

Now my question is Does Firewall allow such kind of communication if stateful packet inspection is in place? If not than what can be the solution/workaround for this.

Early response will be highly appreciable.

Mansoor Hafeez

kapish.mohole · ‎12-08-2006

Hi,

Your situation is same as dynamic application, ftp or other dynamic/multimedia applications, which need dynamic port opening. These kinds of applications are fixed up in PIX by ?fixup? command, but in your case I guess your application is not a standard well known application so you don?t have any way to ?fixup? this.

The only way around is (guessing SP has only 1 firewall) is to open those particular ports in proper source-> destination->dst port flow by putting 2 different ACLs (1 for each direction) on both in and out interfaces (ACL on both interfaces will make it more secure).

Plus you need to provide NAT, either by giving any new IP (then you need to conside routing) or by just NAT 0.

Thanks

View solution in original post

sebastan_bach · ‎12-08-2006

hi mansoor ur asking abt dynamic opening of ports on the channels cretaed by the host on 6666 upon which the the other host will open connection on 8888. it;s more like ftp. but it;s look like it;s not a standard application like ftp or sql for which the pix will understand and dynamically open the ports. for this to work the established keyword. wherein u can specify that if a connection is opened on the port 6666 for a ip then dynamically open connections from that ip to a specific destination port. this can be achieved.

pls refer to the documentation on pix config guide. it has examples with explanations.

i hope this answers ur query.

if this hopes rate it.

regards

sebastan

m-haddad · ‎12-08-2006

Hello Mansour,

Scenario:

Inside on Pix/ASA is treated as highest security 100

Outside on PIX/ASA is treated as lowest security 0

Normally, all traffic from outside to inside is denied.

If traffic is initiated from inside to outside the PIX will autmatically allow return traffic SINCE traffic was initiated from higher level to lower level. This would ONLY require a NAT/PAT from inside to outside. No ACL required to permit return traffic because I mentioned traffic was initiate from Higher to Lower security level.

Now if traffic was to originate from lower level to higher level this would require two things:

1- Static NAT for the inside host to appear on the outside with a public IP for example

2- AN ACL which allow traffic inbound on specific ports

Therefore, if you understand what I explained above this would mean,

1- If the ISP is treating Host A as high security and Host B on the other end as lower security then traffic will go through if traffic is iniated from Host A to B, (B will be able to reply back).

2- If the traffic is treated Host B as in lower security level they will need to assign A static NAT for Host A to appear on the same subnet as in B Segement.Also, they will have to add an ACL allowing the traffic you want.

3- If Host B has to initiate a NEW session then this is considered initiation from Outside to inside (As in the case I explained above)

In short, your scenario is doable if the ISP has configure the firewall correctly.

I tried to explain the requirements so you can have an idea how things should work and troubleshoot the issue with your ISP.

Hope could help and appreciate your rating,

Regards,

kapish.mohole · ‎12-08-2006

Hi,

Your situation is same as dynamic application, ftp or other dynamic/multimedia applications, which need dynamic port opening. These kinds of applications are fixed up in PIX by ?fixup? command, but in your case I guess your application is not a standard well known application so you don?t have any way to ?fixup? this.

The only way around is (guessing SP has only 1 firewall) is to open those particular ports in proper source-> destination->dst port flow by putting 2 different ACLs (1 for each direction) on both in and out interfaces (ACL on both interfaces will make it more secure).

Plus you need to provide NAT, either by giving any new IP (then you need to conside routing) or by just NAT 0.

Thanks

Mansoor Hafeez · ‎12-08-2006

Thanks for the answers. Firstly my application is proprietry and use user-defined ports. How it works, it first establish connection with other Host on Port 6666 and after successful session handshaking the other host will send some data to my host on port 8888. The problem i m facing is that i can successfully make connection on port 6666 with other host but the other host data is not reaching to my host.

So what I have understand from conversation is that If I have one established connection on Firewall from Direction Host A --> Host B and using destination port as 6666 on Host B, and if there will be a requirement of connection from Host B --> Host A on destination port 8888 on Host A, than I have to put 2 different ACLs(1 for each direction).

I have to check this thing with service provider.

Mansoor

Solace · ‎12-08-2006

Hi Mansoor,

To answer your question statefull inspection will ensure that the flow of TCP SYN, TCP SYN ACK etc is following during the TCP session setup. Thus if you are saying the HOST B establishes a NEW connection following the standard SYN then the standard firewall rules will apply and statefull inspection will be satisfied. However is the reply is originating on a different port a rule will be required to allow the reply to traverse the PIX)

What I would do to resolve the issue and allow another port outside of your application through your network configuration and confirm that you are able to connect to that (or you could just try TELNET to the open TCP ports).

You are also sure that the ports are TCP and not UDP?

Also your Telco should be able to provide some insight as to what's hitting their access lists to be able to tell you if there are other ports that are a problem.

Oh and ofcourse turn on debugging logging on the pix and read what it says. It'll tell you if the problem is with the pix rules.

Hope this helps

sebastan_bach · ‎12-09-2006

hi mansoor what u actuall ywant is that when the ur internal host initiates a connection on port 6666 then only it should allow traffic originating from any source port to 8888.

this means u need this traffic for 8888 only when u have made connection to 6666.

this canno be achieved by an access-list as proposed by others. cause with the access-list u are opening a permanent hole in ur firewall. this means even when u are not origination traffic for 6666 traffic can still enter ur network to 8888.

this inspection can only be achieved with the help of established keyword as i suggested u before.

in the established keyword u can specify when traffic has originated for dest port 6666 then dynam ically open connecitons form that ip to dest port 8888 without requiring any access-list.

i hope this solves ur query.

rate it if it helps.

regards

sebastan