When using a stateful firewall, which information is stored in the stateful session flow table?
A.
the outbound and inbound access rules (ACL entries)
B.
the source and destination IP addresses, port numbers, TCP sequencing information, and
additional flags for each TCP or UDP connection associated with a particular session
C.
all TCP and UDP header information only
D.
all TCP SYN packets and the associated return ACK packets only
E.
the inside private IP address and the translated inside global IP address
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intro.html
Stateful Inspection Overview
All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either
allowed through or dropped. A simple packet filter can check for the correct source address,
destination address, and ports, but it does not check that the packet sequence or flags are correct. A
filter also checks every packet against the filter, which can be a slow process.
A stateful firewall like the ASA, however, takes into consideration the state of a packet:
• Is this a new connection?
If it is a new connection, the ASA has to check the packet against access lists and perform other tasks
to determine if the packet is allowed or denied. To perform this check, the first packet of the session
goes through the “session management path,” and depending on the type of traffic, it might also
pass through the “control plane path.”
The session management path is responsible for the following tasks:
–Performing the access list checks
–Performing route lookups
–Allocating NAT translations (xlates)
–Establishing sessions in the “fast path”
The ASA creates forward and reverse flows in the fast path for TCP traffic; the ASA also creates
connection state information for connectionless protocols like UDP, ICMP (when you enable ICMP
inspection), so that they can also use the fast path.
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are
passed on to the control plane path. Layer 7 inspection engines are required for protocols that have
two or more channels:
A data channel, which uses well-known port numbers, and a control channel, which uses different
port numbers for each session. These protocols include FTP, H.323, and SNMP.
• Is this an established connection?
If the connection is already established, the ASA does not need to re-check packets; most matching
packets can go through the “fast” path in both directions. The fast path is responsible for the
following tasks:
–IP checksum verification
–Session lookup
–TCP sequence number check
–NAT translations based on existing sessions
–Layer 3 and Layer 4 header adjustments
Data packets for protocols that require Layer 7 inspection can also go through the fast path.
Some established session packets must continue to go through the session management path or the
control plane path. Packets that go through the session management path include HTTP packets that
require inspection or content filtering. Packets that go through the control plane path include the
control packets for protocols that require Layer 7 inspection.