When internal users make requests to the internet, an ASA saves session information so that when a valid response comes back, it can recognize and permit that traffic through. Stateful inspection is the mechanism that allows the ASA to do so.
Imagine a user on our internal network named Bob. Bob wants to go out to the internet, so he makes his request.
The traffic from that request goes out to the internet. Clearly, if Bob's ASA stopped all traffic from making it back into the network, it wouldn't be much more useful than never being plugged into the internet in the first place.
Because when Bob goes out to the internet, he's not just sending requests with no expectation of a response. For his internet connection to be useful, he'll need a reply. Bob is expecting a response back from an external server.
Remember, the default operation of an ASA is to deny traffic before it reaches the network. So if the firewall didn't allow the reply to Bob's request to come back in, no Internet. But when Bob's request leaves the network, the firewall does something amazing: in the background, it looks at Bob's session and remembers things.
It remembers the source IP address, destination IP address, Layer 4 information, and ports involved. And it puts all of that into a session table, a stateful session table. When the reply comes back, the firewall says, "Wait a minute, this reply is perfect! It exactly matches what Bob is expecting as a reply." And it dynamically makes an exception and lets that return traffic come back in.
With stateful inspection, you can have thousands of users all going out to the internet dynamically and allow all the return traffic while simultaneously stopping any traffic that's initiated on the outside from coming in.
