Options
AX Stateful Firewalling
metnet
Member ✭
Hello,
I have a question about Firewalling on the AX5100
If a packet is received on the inside interface of the AX5100’s, with only the TCP flag set, and there is no related session,
will a session be created for this packet or will it be dropped.
I can see the following from one of the AX manuals:
AX_CLI_Ref_266GR1-2013 05 08.pdf
{ip | ipv6} stateful-firewall
Description Enable stateful-firewall support on a data interface.
Syntax [no] {ip | ipv6} stateful-firewall
{inside | outside [access-list num]}
Parameter Description
ip | ipv6 IP version.
inside |
outside Traffic direction.
access-list id ACL ID.
Default Not set
Introduced in Release 2.6.6-P4
which suggests that there is a stateful firewalling feature introduced in 2.6.6
Due to the fact that we are running 2.6.4 I am assuing we do not have a stateful firewall and therefore the AX5100
would create a session for the ACK packet and forward it normally.
I have a question about Firewalling on the AX5100
If a packet is received on the inside interface of the AX5100’s, with only the TCP flag set, and there is no related session,
will a session be created for this packet or will it be dropped.
I can see the following from one of the AX manuals:
AX_CLI_Ref_266GR1-2013 05 08.pdf
{ip | ipv6} stateful-firewall
Description Enable stateful-firewall support on a data interface.
Syntax [no] {ip | ipv6} stateful-firewall
{inside | outside [access-list num]}
Parameter Description
ip | ipv6 IP version.
inside |
outside Traffic direction.
access-list id ACL ID.
Default Not set
Introduced in Release 2.6.6-P4
which suggests that there is a stateful firewalling feature introduced in 2.6.6
Due to the fact that we are running 2.6.4 I am assuing we do not have a stateful firewall and therefore the AX5100
would create a session for the ACK packet and forward it normally.
0
Comments
Basically, the stateful-firewall is implemented to protect the internal(inside) user who is using a public IP address. So, if you have any internal user using public IP on the AX5100 running 2.6.4, the user would receive the ACK packet from outside since AX performs normal L3 forwarding.
If you're talking about normal CGNAT user, the ACK packet (from the outside) should be dropped if there is no related session on the AX. Also, in case the ACK is coming from the inside CGNAT user as a first packet, it will most likely be dropped since session table would be created with SYN packet.
Hope it helps.