ASA .... stateful


I’ve been chasing an answer to a question regarding the function of ASA’s for a couple days now and am striking out.  I tried to lab this concept, but wasn’t able to get a tool to send traffic properly.  I also tried researching it online, but couldn’t find an answer. 

In a really simple setup, say I had an ASA allowing telnet access to one host – basically just a one line acl allowing telnet.  What would the ASA do with an initial packet sent to TCP/23 if the packet had the FIN bit set?  What I’m getting at is, the acl allows TCP/23 and this packet is using TCP/23, but the packet has the FIN bet set even though it’s the initial packet, so it’s out of state.  What will the ASA do with that packet?

I’m aware that the state table is built from outbound traffic and creates dynamic holes through the acl.  So what I’m getting at is, does the state table have a secondary function of blocking out of state packets even if the acl in place actually allows that traffic?

If anyone knows of some specific documentation on this concept, I'd really appreciate it.  Thanks for your help.

-nklhd

 

Comments

  • Any firewall tracks a TCP session from the begining till the end. First is the SYN, then SYN-ACK, and then ACK, the sequence numbers, flags, port numbers etc Unless everything matches, the ASA won't allow the packet in.

    ASA and most of the firewalls has a session table that recods everything and checks the packet flow flowing across.

     

    If the packet comes with the FIN bit, it will not be allowed unless that packet has a connection table in the ASA.

     

     

     

     

     

    With regards

    Kings

Sign In or Register to comment.