It is currently Wed Apr 26, 2017 11:28 pm

All times are UTC

Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: ASA TCP State bypass Asymetric routing issue
PostPosted: Fri Oct 17, 2014 2:43 pm 

Joined: Sat Dec 07, 2013 4:47 pm
Posts: 4
I need to do a proof of concept before taking this to the production ASA's. THe basic scenario is a large network with 2 ISP's and 2 ASA's. The network is logically divided in half with about 300 users going in and out one ASA and about 400 users going through the other. The issue is when a user comes from the outside via ASA1 and hits a web base app on a server that by its design is exiting via ASA2 the packets are dropped because there is no matching syn.

According to Cisco this is the time to use TCP State bypass so the packet hist ASA2 and the asa ignores the TCP State and pass the traffic. Ok I get it.

I build this lab in GNS 3 and since I had difficulty keeping two ASA's running in the lab I replaced one with a router. The tcp state bypass has been enabled on asa1

When I do a show conn I get the proper B flag which says the connection has been bypassed
ciscoasa# sh conn
2 in use, 5 most used
TCP OUTSIDE INSIDE, idle 0:23:38, bytes 564, flags b
In the log files I get this
Log files
%ASA-session-7-609001: Built local-host OUTSIDE:
%ASA-session-6-302303: Built TCP state-bypass connection 49 from OUTSIDE: ( to INSIDE: ( /80)
%ASA-session-6-106015: Deny TCP (no connection) from to flags SYN ACK on interface INSIDE

Relevant config on ASA:
hostname ciscoasa
interface GigabitEthernet0
nameif INSIDE
security-level 100
ip address
interface GigabitEthernet1
nameif OUTSIDE
security-level 0
ip address
ftp mode passive
object network webserver
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp destination eq www
access-list OUTSIDE_access_in extended permit object-group DM_INLINE_SERVICE_1 any object webserver log disable
access-list INSIDE_access_in extended permit object-group DM_INLINE_SERVICE_2 object webserver any log debugging
tcp-map tcp-bypass
object network webserver
nat (any,any) static
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
access-group INSIDE_access_in in interface INSIDE
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE w.x.y.z 1
route INSIDE 1
http server enable
class-map inspection_default
match default-inspection-traffic
class-map global-class-tcpstate
match any
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class global-class-tcpstate
set connection advanced-options tcp-state-bypass
service-policy global_policy global

I think I am missing something obvious but I just can't see it.
Any help is appreciated

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group