Question behavior ASA

Answered Question
Aug 7th, 2009
User Badges:

Hello all,


I have a question in a test environment, mount the topology as the attached file, and inserting the wing route to 172.16.2.0/24 via 192.168.0.10 network the ping command works, but any protocol that is oriented to connect does not work. Monitors with the debug command and noticed that the package leaves the station with IP address 192.168.1.3 to the ip address 172.16.2.2 successfully, the packet with SYN flag arrives, and when the 172.16.2.2 server responds with the ACK flag returns without problems. But when the station with IP address 192.168.1.3 returns the packet with flag SYN/ACK the Cisco ASA receives a package and as the ACK not returned by the ASA cisco asa result seems to lose the package and execute a teardown and the connection is not complete. I believe this is because the cisco asa can understand this behavior as an atack main-in-the-middle. Is there a way to disable that check in cisco ASA. I ask that the level of knowledge, because this scenario will not be used.


Regards.




Attachment: 
Correct Answer by Kevin Redmon about 7 years 10 months ago

8.4 is not a valid ASA version. You may be running 8.0(4). This TCP State Bypass feature is available after 8.2(1) or after.


'permit ip any any' simply states that all UDP and TCP connections are permitted. However, the ASA will still inspect both connections for state and other security checks. In the case of TCP, the first packet MUST be a SYN. Otherwise, without the SYN, we should never see a SYN-ACK. A syslog message, 'Deny TCP (no connection)', would result if we saw the SYN-ACK without the SYN packet.


Best Regards,

Kevin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kevin Redmon Fri, 08/07/2009 - 20:28
User Badges:
  • Cisco Employee,

The ASA firewall is a stateful firewall and therefore needs to see every packet of a connection. The connection entry on the ASA is populated upon receipt of the SYN packet. On the ASAs, this is likely going to be seen as a 'Deny TCP (no connection)' syslog message.


In ASA version 8.2, the TCP State Bypass feature was implemented. This feature removes all security checks for the traffic - performing very similarly to access-list entry on a Router.

r-barbosa Mon, 08/10/2009 - 04:40
User Badges:

Hi kredmon, thanks for responding.


you said that the bypass feature was implemented in version 8.2, but I'm using version 8.4, and there is a acl inside the "permit ip any any". Not necessarily be just that?


Thank you.

Correct Answer
Kevin Redmon Mon, 08/10/2009 - 04:54
User Badges:
  • Cisco Employee,

8.4 is not a valid ASA version. You may be running 8.0(4). This TCP State Bypass feature is available after 8.2(1) or after.


'permit ip any any' simply states that all UDP and TCP connections are permitted. However, the ASA will still inspect both connections for state and other security checks. In the case of TCP, the first packet MUST be a SYN. Otherwise, without the SYN, we should never see a SYN-ACK. A syslog message, 'Deny TCP (no connection)', would result if we saw the SYN-ACK without the SYN packet.


Best Regards,

Kevin

r-barbosa Mon, 08/10/2009 - 08:02
User Badges:

Hi kevin,


Even defining the "permit ip any any" and as you said it will disable the firewall statfull. How to turn off the firewall statfull or enabling bypass?


Regards

r-barbosa Mon, 08/10/2009 - 10:34
User Badges:

Hi kevin


i execute the following commands and work. thanks kevin


!----------------------------------

access-list tcp_bypass extended permit ip 192.168.0.0 255.255.0.0 172.16.2.0 255.255.255.0


class-map tcp_bypass

match access-list tcp_bypass


policy-map tcp_bypass_policy

class tcp_bypass


set connection advanced-options tcp-state-bypass

service-policy tcp_bypass_policy interface inside


!-----------------------------


Regards.

Kevin Redmon Thu, 08/13/2009 - 18:47
User Badges:
  • Cisco Employee,

You may also be facing a translation issue. Please be sure that you have translations defined for the traffic. For instance, a 'nat (inside) 0' with an access-list defining both the 192.168.0.0/16 to 172.16.2.0/24 networks. You will also need a 'same-security-traffic permit intra-interface'.


http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1392814


If you still experience issues, please gather the debug level syslogs ('logging buffered debug').

Actions

This Discussion