cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
482
Views
0
Helpful
3
Replies

Reg. bypassing state in ASA

ankurs2008
Level 1
Level 1

Hi halijenn / pkampana / all

We are having ASA 8.0(5) .The issue is that there is a Web filtering appliance that is in  inside interface (sec-level 100), IP 172.16.10.24 and the user is on DMZ interface (sec-level 50) , IP 172.16.14.6. The appliance has a monitor NIC, with a SPAN on the switch to monitor web traffic requests passing through network.When it sees a request that it deems as "blocked", it sends a HTTP 302 redirect packet to the client/requesting IP address, with spoofed source address of the blocked resource,which redirects them to a "blocked" page on the appliance. e.g. client 172.16.14.6 requests yahoo.com (say this is IP 3.3.3.3 ) the Web filtering device sees that yahoo.com is blocked, and sends a HTTP 302 redirect packet of source 3.3.3.3

(spoofed IP) to 172.16.14.6 rather than the Source IP as itself .

The problem is that Firewall OBVIOUSLY will not let this traffic pass; reverse path forwarding and stateful connection will see that there is no TCP connection between 3.3.3.3 on the inside interface (where the appliance is) and where the user sits (DMZ interface), and thus drops the traffic.

Below are examples from the logs when performing tests:

Jun 04 2010 18:26:21 ASA1 : %ASA-6-106015: Deny TCP (no connection) from 63.216.54.114/80 to 172.16.14.6/1047 flags FIN PSH ACK  on interface inside

Jun 04 2010 18:26:21 ASA1 : %ASA-6-106015: Deny TCP (no connection) from 172.16.14.6/1047 to 63.216.54.114/80 flags RST ACK  on interface inside

Please let me know if we can achieve this .According to me we can accomplish this by first disabling the "ip verify reverse path" on the interface as well as we also need to do a Stateful Bypass ; however as ASA version is 8.0.5 we cannot do this via MPF .Hence please let me know if below is the correct method

Current Static NAT is as follows for DMZ users to speak to Inside IPs

static (inside,DMZ) 172.16.10.0 172.16.10.0 netmask 255.255.255.0

Modified Static NAT if we bypass statefulness of ASA

static (inside,DMZ) 172.16.10.0 172.16.10.0 netmask 255.255.255.0 norandomseq nailed
failover timeout -1


Please also let me know if this is not possible at all or if i need to add something in the above.

3 Replies 3

ankurs2008
Level 1
Level 1

hi

please reply to my query . thanks

hi halijenn / pkampana / all

Please try to resolve my query , its urgent . thanks a lot !

hi

please resolve my query

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: