ASA vs Router for firewalling

mzinzmzinz Member Posts: 328
One of the huge benefits of ASA's is that they create stateful connections, right? So an outgoing connection will be allowed back inbound (if I'm understanding properly)

Do routers not have stateful connections? ie: Accessing a web-interface application - It works on my network behind an ASA, but on a different network it has trouble connecting.
_______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801

Comments

  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    mzinz wrote:
    One of the huge benefits of ASA's is that they create stateful connections, right? So an outgoing connection will be allowed back inbound (if I'm understanding properly)

    Do routers not have stateful connections? ie: Accessing a web-interface application - It works on my network behind an ASA, but on a different network it has trouble connecting.

    IOS routers support the IOS Firewall feature set which has a stateful engine known as Context Based Access Control (CBAC) but is configured with the "ip inspect" command set. I have used both and they both seem to perform about the same for most major network protocols.

    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_qas09186a008010a40e.html
    The only easy day was yesterday!
  • LOkrasaLOkrasa Member Posts: 343 ■■■□□□□□□□
    Great link DT! I am actually trying to figure out the differences myself at work and that helps TREMENDOUSLY! Thanks!
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Still you need to know if the protocols you will use are supported by CBAC. The list has really grown lover the years but it's worth checking before you try to use it.
    While the ASA uses inspection also for dynamic protocols and some deeper security enforcement they are as you said stateful by default.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    I agree with Ahriakin, the ASA seems to support more protocols and I would choose to use an ASA if the primay fuction of the device is security. One issue I have run into with the ASA and similar firewall devices is they only support ethernet/FE/GE interfaces so if you have a traditional T-1 connection you may need a router anyhow. Sometimes it can be a cost savings to use the IOS Firewall on a router instead of 2 devices back to back.
    The only easy day was yesterday!
  • mzinzmzinz Member Posts: 328
    Thanks for clearing that up, that helps.

    One thing I'm a little hazy on is the IP Inspect statement.

    If I don't have port 80 open in my ACL (outbound coming in), but I do have 'IP INSPECT <NAME> 80', will the traffic be allowed?

    If I have port 80 open in my ACL, but I don't have 'IP INSPECT <NAME> 80', will the traffic be allowed?

    What exactly is occurring there?
    _______LAB________
    2x 2950
    2x 3550
    2x 2650XM
    2x 3640
    1x 2801
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    mzinz wrote:
    Thanks for clearing that up, that helps.

    One thing I'm a little hazy on is the IP Inspect statement.

    If I don't have port 80 open in my ACL (outbound coming in), but I do have 'IP INSPECT <NAME> 80', will the traffic be allowed?

    If I have port 80 open in my ACL, but I don't have 'IP INSPECT <NAME> 80', will the traffic be allowed?

    What exactly is occurring there?

    Assuming you are trying to allow inside hosts to access the Internet the inspection of the outbound traffic will dynamically create entries in the state table to return, thre is no need to open any inbound ports for http.

    If the goal is to allow access to an internal webserver from the Internet you will need to open port 80 to allow the traffic into the router.
    The only easy day was yesterday!
  • mzinzmzinz Member Posts: 328
    dtlokee wrote:
    mzinz wrote:
    Thanks for clearing that up, that helps.

    One thing I'm a little hazy on is the IP Inspect statement.

    If I don't have port 80 open in my ACL (outbound coming in), but I do have 'IP INSPECT <NAME> 80', will the traffic be allowed?

    If I have port 80 open in my ACL, but I don't have 'IP INSPECT <NAME> 80', will the traffic be allowed?

    What exactly is occurring there?

    Assuming you are trying to allow inside hosts to access the Internet the inspection of the outbound traffic will dynamically create entries in the state table to return, thre is no need to open any inbound ports for http.

    If the goal is to allow access to an internal webserver from the Internet you will need to open port 80 to allow the traffic into the router.


    Right, that's what I'm trying to figure out, allowing access to an internal webserver from the outside. Do I need to have port 80 open in my ACL, or in the INSPECT statement, or both? What's the difference???[/b]
    _______LAB________
    2x 2950
    2x 3550
    2x 2650XM
    2x 3640
    1x 2801
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Well IP inspection will only work if there is some initial traffic to inspect, then it creates an entry in the state table to allow the return traffic. In the case of a web server which is behind the router the initial traffic will come from the Internet so the inbound ACL must allow port 80 inbound because there is no entry in the state table (because the traffic came from outside)

    I guess you could configure the outbound router interface to inspect the return traffic along with an ACL that blocks all traffic outbound, but I have never tried it to know if it works. Even if it does work it's not the typical way to do it and will still require inbound port 80 to be open

    also on a side note, if you are using nat on the router make sure the ACL references the inside global address, not the inside local address. ACL is applied before NAT on the return traffic.
    The only easy day was yesterday!
  • mzinzmzinz Member Posts: 328
    Thanks for the detailed reply, that makes much more sense.

    So if a port is not being identified (using IP IDENTIFY), then will a statefull connection not be created?

    Also, I noticed this line in the ACL:
    access-list 101 permit ip any any established

    Is that just telling it to allow any inbound connections that have already been established?
    _______LAB________
    2x 2950
    2x 3550
    2x 2650XM
    2x 3640
    1x 2801
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    mzinz wrote:
    access-list 101 permit ip any any established

    Is that just telling it to allow any inbound connections that have already been established?

    Essentially, yes. Anything that has the "ack" bit set in it. This should not be needed if you're using inspection unless you are using some tcp based protocols that are not handled by inspection.
    The only easy day was yesterday!
Sign In or Register to comment.