It is currently Thu Oct 19, 2017 8:08 pm


All times are UTC




Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: ASA TCP State bypass Asymetric routing issue
PostPosted: Fri Oct 17, 2014 2:43 pm 
Offline

Joined: Sat Dec 07, 2013 4:47 pm
Posts: 4
I need to do a proof of concept before taking this to the production ASA's. THe basic scenario is a large network with 2 ISP's and 2 ASA's. The network is logically divided in half with about 300 users going in and out one ASA and about 400 users going through the other. The issue is when a user comes from the outside via ASA1 and hits a web base app on a server that by its design is exiting via ASA2 the packets are dropped because there is no matching syn.

According to Cisco this is the time to use TCP State bypass so the packet hist ASA2 and the asa ignores the TCP State and pass the traffic. Ok I get it.

I build this lab in GNS 3 and since I had difficulty keeping two ASA's running in the lab I replaced one with a router. The tcp state bypass has been enabled on asa1
Image

When I do a show conn I get the proper B flag which says the connection has been bypassed
ciscoasa# sh conn
2 in use, 5 most used
TCP OUTSIDE 10.10.20.15:1113 INSIDE 192.168.135.15:80, idle 0:23:38, bytes 564, flags b
ciscoasa#
In the log files I get this
Log files
%ASA-session-7-609001: Built local-host OUTSIDE:10.10.20.15
%ASA-session-6-302303: Built TCP state-bypass connection 49 from OUTSIDE:10.10.20.15/1113 (10.10.20.15/1113) to INSIDE:192.168.135.15/80 (206.107.121.3 /80)
%ASA-session-6-106015: Deny TCP (no connection) from 192.168.135.15/80 to 10.10.20.15/1114 flags SYN ACK on interface INSIDE

Relevant config on ASA:
hostname ciscoasa
!
interface GigabitEthernet0
nameif INSIDE
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1
nameif OUTSIDE
security-level 0
ip address 206.107.121.2 255.255.255.0
!
ftp mode passive
object network webserver
host 192.168.135.15
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp destination eq www
access-list OUTSIDE_access_in extended permit object-group DM_INLINE_SERVICE_1 any object webserver log disable
access-list INSIDE_access_in extended permit object-group DM_INLINE_SERVICE_2 object webserver any log debugging
!
tcp-map tcp-bypass
!
object network webserver
nat (any,any) static 206.107.121.3
!
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
access-group INSIDE_access_in in interface INSIDE
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 w.x.y.z 1
route INSIDE 192.168.135.0 255.255.255.0 192.168.1.1 1
http server enable
http 192.168.135.0 255.255.255.0 INSIDE
!
class-map inspection_default
match default-inspection-traffic
class-map global-class-tcpstate
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class global-class-tcpstate
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global

I think I am missing something obvious but I just can't see it.
Any help is appreciated




Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group

phpBB SEO