Cisco ASA 5500 disable connection tracking

ciscocisco-asafirewall

I have cisco ASA 5500 firewall and curious can i disable connection tracking for specific rules or protocol.

In short i want to disable connection tracking for UDP traffic. because UDP is connection less, it doesn't have any state like NEW, ESTABLISHED etc.. what is the purpose of tracking them. I want to exclude them from my ASA rules.

UPDATE

I have quick check in ASA and following traffic we are inspecting. if there is no UDP/SIP there then who is filling connection table?

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect icmp

Here is the connection table output, I can see UDP traffic and my SIP port 6050. How can i tell don't track UDP connection?

fw1/act# show conn
366629 in use, 650039 most used
UDP outside 188.16.1.180:48145 inside 63.91.252.112:6065, idle 0:00:00, bytes 784, flags -
UDP outside 93.170.181.204:11862 inside 63.91.252.112:6065, idle 0:00:00, bytes 796, flags -
UDP outside 194.44.127.194:49526 inside 63.91.252.112:6065, idle 0:00:00, bytes 1226, flags -
UDP outside 5.166.44.120:46668 inside 63.91.252.112:6065, idle 0:00:00, bytes 814, flags -

Best Answer

By default, the ASA inspects SIP and many other protocols as you can see listed below.

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp

To remove unwanted inspection, go into the policy-map and remove the inspect command.

policy-map global_policy
 class inspection_default
  no inspect sip

Please be aware that this will kill the existing connections so this should be done off hours or during a maintenance window.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco PIX – How to Increase SIP Timeout for REGISTER Transaction Type

After further research, looks like this is Cisco bug CSCei29494 though I see no fixed release. An ASA 5515-X running 9.1(2) shows the same 0:03:00 timeout, also apparently not configurable, though it doesn't have the same trouble with calls (e.g. INVITEs) when the REGISTER session expired and got deleted by the ASA.

Initial REGISTER shows "expires" found and set to 300 seconds, but PIX is setting to 180 (0:03:00).

SIP::Found CSeq 21141 REGISTER
...
SIP::Found Expires, 300 seconds

ASA looks to allow INVITE and RTP without a REGISTER session as shown by these sip debug entries:

SIP::Not updating database for Contact x.17.30.16/60422, registry database total 0
SIP::Non-session level connection addr x.17.30.16, media port 4000
Created SIP session for inside:x.17.30.16/55816 to outside:y.241.2.206/5060, 1 total
SIP::Adding early RTP conn y.241.2.206/* to x.17.30.16/4000