Cisco Security Appliance
The ASA is designed to function as a stateful, connection-oriented process that maintains
session information in a state table. Applying the security policy and address translation to
the state table controls all traffic passing through the firewall. A random TCP sequence
number is generated, and the ASA writes the connection information to the state table as an
outbound connection is initiated. If the connection is allowed by the security policy, the
source address is translated to an external address and the request goes out. Return traffic is
compared to the existing state information. If the information does not match, the firewall
drops the connection. The security emphasis on the connection rather than on the packets
makes it nearly impossible to gain access by hijacking a TCP session.
Figure 3-1 depicts the mechanics of the ASA and how it affects traffic flowing through a
Cisco Security Appliance. The following numbered list explains the steps indicated in the
figure. Notice that Steps 1 and 5 are performed by the requestor and responder. Steps 2, 3,
4, and 6 are all performed by the PIX Firewall.
1. The internal host initiates an IP connection to an external resource.
2. The Security Appliance writes the following connection information into the state table:
— Source IP and port
— Destination IP and port
— TCP sequencing information
— Additional TCP/UDP flags
— A randomly generated TCP sequence number is applied (the state table
entry is called a “session object”)
3. The connection object is compared to the security policy. If the connection is not
allowed, the session object is deleted, and the connection is dropped.
4. If the connection is approved by the security policy, the source address is translated and
the request is forwarded to the external resource.
5. The external resource replies to the request.
6. The response arrives at the firewall and is compared to the session object. If the response
matches the session object, the destination address is translated back to the original
address and the traffic passes to the internal host. If it does not match, the connection is
dropped.