Validation Testing Matters

A couple of weeks ago, a CLN Member Posted a question with the heading Does ASA drop active session.

The specific question was as follows–

I have a time based ACL configured on a Cisco ASA. I need to know if the active sessions are dropped by the ASA when the time limit is over.

For example, users are allowed to connect between 12 and 1 PM. If there are any active connections just before 1 PM then will they be dropped at 1 PM?

Many network and security administrators would blindly assume that a time-based ACL would block or allow traffic based on the time-range attached to the individual ACE. Having quite a lot of experience with the ASA, I was skeptical and assumed that any ongoing connections would continue to allow the flow of traffic. I decided to do a little testing and here is what I found.

  1. Viewing the ACL, the time based ACE (line in the ACL) switched from active to inactive about 60-70 seconds after I expected it to
  2. When testing with sessionized ICMP (fixup protocol icmp–to enable ICMP inspection), ICMP Echoes were blocked as soon as the ACE switched to inactive
  3. Testing with TCP, a connection through the ASA would continue to permit traffic flow even after the ACE switched to inactive

I had expected an established TCP connection to continue to allow traffic. Unlike a router, the ASA only evaluates the ACL when an connection is being established. What really surprised me was that the ICMP behaved differently.

After seeing the behavior with ICMP, I had initially changed my assumption with TCP and expected it to behave in a similar way. To fully appreciate the differences with sessionized ICMP, I need to do a little more testing. My thought now is that an ICMP connection is initiated by an “ECHO Request” and immediately terminated with the associated “ECHO Reply”. In other words, Host A pinging Host B may actually be 5 connections from an ASA perspective.

Conclusion

The reason I bring this scenario up is that it illustrates the need to test things that we regard as important. If an organization has no critical use case around time-based ACL’s on the ASA, there might be no reason to get this deep into the operation. If there is a critical need to tear down an active TCP connection at a given point in time, verifying that the control works is important. It’s not a safe assumption to believe a tool works as expected or even as advertised. Validation testing is very important when a given function is critical to the operation of our network or business.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may not reflect the position of past, present or future employers.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.