ASA TCP State bypass Asymetric routing issue
Page 1 of 1

Author:  unclejoe [ Fri Oct 17, 2014 2:43 pm ]
Post subject:  ASA TCP State bypass Asymetric routing issue

I need to do a proof of concept before taking this to the production ASA's. THe basic scenario is a large network with 2 ISP's and 2 ASA's. The network is logically divided in half with about 300 users going in and out one ASA and about 400 users going through the other. The issue is when a user comes from the outside via ASA1 and hits a web base app on a server that by its design is exiting via ASA2 the packets are dropped because there is no matching syn.

According to Cisco this is the time to use TCP State bypass so the packet hist ASA2 and the asa ignores the TCP State and pass the traffic. Ok I get it.

I build this lab in GNS 3 and since I had difficulty keeping two ASA's running in the lab I replaced one with a router. The tcp state bypass has been enabled on asa1

When I do a show conn I get the proper B flag which says the connection has been bypassed
ciscoasa# sh conn
2 in use, 5 most used
TCP OUTSIDE INSIDE, idle 0:23:38, bytes 564, flags b
In the log files I get this
Log files
%ASA-session-7-609001: Built local-host OUTSIDE:
%ASA-session-6-302303: Built TCP state-bypass connection 49 from OUTSIDE: ( to INSIDE: ( /80)
%ASA-session-6-106015: Deny TCP (no connection) from to flags SYN ACK on interface INSIDE

Relevant config on ASA:
hostname ciscoasa
interface GigabitEthernet0
nameif INSIDE
security-level 100
ip address
interface GigabitEthernet1
nameif OUTSIDE
security-level 0
ip address
ftp mode passive
object network webserver
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp destination eq www
access-list OUTSIDE_access_in extended permit object-group DM_INLINE_SERVICE_1 any object webserver log disable
access-list INSIDE_access_in extended permit object-group DM_INLINE_SERVICE_2 object webserver any log debugging
tcp-map tcp-bypass
object network webserver
nat (any,any) static
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
access-group INSIDE_access_in in interface INSIDE
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE w.x.y.z 1
route INSIDE 1
http server enable
class-map inspection_default
match default-inspection-traffic
class-map global-class-tcpstate
match any
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class global-class-tcpstate
set connection advanced-options tcp-state-bypass
service-policy global_policy global

I think I am missing something obvious but I just can't see it.
Any help is appreciated

Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group