Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
900
Views
0
Helpful
3
Replies

stateless filter in ASA5500

caojunjie
Level 1
Level 1

‎05-22-2011 06:14 AM - edited ‎03-11-2019 01:36 PM

Hi,

Does ASA 5500 has stateless filter to drop packet even when 3-way handshake is finished

For example,

1: 3-way handshake is done

2:client send data to server

3:I apply a statless filter to the incoming interface to drop the packet from the client

Thanks

Labels:
0 Helpful
3 Replies 3

mirober2
Cisco Employee
Cisco Employee

‎05-23-2011 09:52 AM

Hi Junjie,

Can you share some more details on what you're trying to achieve? On what criteria are you trying to drop the packet from the client if you're security policy allows it to complete the 3-way handshake? Something specific in the payload?

In general, the only way to achieve this on the ASA would be to apply an application-layer inspection engine to the traffic. Of course, this is only possible for known protocols that the ASA has inspection engines for. The full list of these engines can be found here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html#wp1536127

-Mike

0 Helpful

caojunjie
Level 1
Level 1
In response to mirober2

‎05-23-2011 07:45 PM

Hi,Mirober2

The case I want to achieve is like this

In general,firewall works in stateful status,it means it will check the session and ACL to permit or drop a packet,for example

client1 ------|untrust-------trust|-------client2

If client want to visit client2,we only need to permit traffic in one direction,permit source-ip client1 des-ip client2 .When response from client2 to client,firewall will permit this packet due to it is a stateful firewall and record the sesion from client1 to client2

Now ,due to some test,I wanna do something different

syn is permitted

client1 ------>|untrust-------trust|------->client2

sync/ack should be droped

client1 <------or drop here|untrust-------trust|drop here<-------client2

this is what I mean "stateless"

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to caojunjie

‎05-24-2011 06:22 AM

Hi Junjie,

In that case, no this is not possible with the ASA alone. If the security policy allows the first SYN packet, a conn will built and added to the ASA's conn table. When the SYN-ACK comes back, the ASA will first check if there is an existing conn that matches the traffic (which there will be). Once it finds a match, it skips over the ACL check and allows the packet through.

From the ASA's perspective, if the security policy allows the SYN, we would expect the SYN-ACK to be allowed as well (assuming it is legitimate response to the SYN).

To do this, you'd need a device which is not stateless, such as a router.

Hope that helps.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card