ASA vs Router for firewalling

One of the huge benefits of ASA's is that they create stateful connections, right? So an outgoing connection will be allowed back inbound (if I'm understanding properly)

Do routers not have stateful connections? ie: Accessing a web-interface application - It works on my network behind an ASA, but on a different network it has trouble connecting.

Find more posts tagged with

Comments

dtlokee

mzinz wrote:

One of the huge benefits of ASA's is that they create stateful connections, right? So an outgoing connection will be allowed back inbound (if I'm understanding properly)

Do routers not have stateful connections? ie: Accessing a web-interface application - It works on my network behind an ASA, but on a different network it has trouble connecting.

IOS routers support the IOS Firewall feature set which has a stateful engine known as Context Based Access Control (CBAC) but is configured with the "ip inspect" command set. I have used both and they both seem to perform about the same for most major network protocols.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_qas09186a008010a40e.html

LOkrasa

Great link DT! I am actually trying to figure out the differences myself at work and that helps TREMENDOUSLY! Thanks!

Ahriakin

Still you need to know if the protocols you will use are supported by CBAC. The list has really grown lover the years but it's worth checking before you try to use it.
While the ASA uses inspection also for dynamic protocols and some deeper security enforcement they are as you said stateful by default.

dtlokee

I agree with Ahriakin, the ASA seems to support more protocols and I would choose to use an ASA if the primay fuction of the device is security. One issue I have run into with the ASA and similar firewall devices is they only support ethernet/FE/GE interfaces so if you have a traditional T-1 connection you may need a router anyhow. Sometimes it can be a cost savings to use the IOS Firewall on a router instead of 2 devices back to back.

mzinz

Thanks for clearing that up, that helps.

One thing I'm a little hazy on is the IP Inspect statement.

If I don't have port 80 open in my ACL (outbound coming in), but I do have 'IP INSPECT <NAME> 80', will the traffic be allowed?

If I have port 80 open in my ACL, but I don't have 'IP INSPECT <NAME> 80', will the traffic be allowed?

What exactly is occurring there?

dtlokee

mzinz wrote:

Thanks for clearing that up, that helps.

One thing I'm a little hazy on is the IP Inspect statement.

If I don't have port 80 open in my ACL (outbound coming in), but I do have 'IP INSPECT <NAME> 80', will the traffic be allowed?

If I have port 80 open in my ACL, but I don't have 'IP INSPECT <NAME> 80', will the traffic be allowed?

What exactly is occurring there?

Assuming you are trying to allow inside hosts to access the Internet the inspection of the outbound traffic will dynamically create entries in the state table to return, thre is no need to open any inbound ports for http.

If the goal is to allow access to an internal webserver from the Internet you will need to open port 80 to allow the traffic into the router.

mzinz

dtlokee wrote:

mzinz wrote:

Thanks for clearing that up, that helps.

One thing I'm a little hazy on is the IP Inspect statement.

If I don't have port 80 open in my ACL (outbound coming in), but I do have 'IP INSPECT <NAME> 80', will the traffic be allowed?

If I have port 80 open in my ACL, but I don't have 'IP INSPECT <NAME> 80', will the traffic be allowed?

What exactly is occurring there?

Assuming you are trying to allow inside hosts to access the Internet the inspection of the outbound traffic will dynamically create entries in the state table to return, thre is no need to open any inbound ports for http.

If the goal is to allow access to an internal webserver from the Internet you will need to open port 80 to allow the traffic into the router.

Right, that's what I'm trying to figure out, allowing access to an internal webserver from the outside. Do I need to have port 80 open in my ACL, or in the INSPECT statement, or both? What's the difference???[/b]

dtlokee

Well IP inspection will only work if there is some initial traffic to inspect, then it creates an entry in the state table to allow the return traffic. In the case of a web server which is behind the router the initial traffic will come from the Internet so the inbound ACL must allow port 80 inbound because there is no entry in the state table (because the traffic came from outside)

I guess you could configure the outbound router interface to inspect the return traffic along with an ACL that blocks all traffic outbound, but I have never tried it to know if it works. Even if it does work it's not the typical way to do it and will still require inbound port 80 to be open

also on a side note, if you are using nat on the router make sure the ACL references the inside global address, not the inside local address. ACL is applied before NAT on the return traffic.

mzinz

Thanks for the detailed reply, that makes much more sense.

So if a port is not being identified (using IP IDENTIFY), then will a statefull connection not be created?

Also, I noticed this line in the ACL:
access-list 101 permit ip any any established

Is that just telling it to allow any inbound connections that have already been established?

dtlokee

mzinz wrote:

access-list 101 permit ip any any established

Is that just telling it to allow any inbound connections that have already been established?

Essentially, yes. Anything that has the "ack" bit set in it. This should not be needed if you're using inspection unless you are using some tcp based protocols that are not handled by inspection.