ā06-10-2010 09:54 PM - edited ā03-11-2019 10:57 AM
Hi halijenn / pkampana / all
We are having ASA 8.0(5) .The issue is that there is a Web filtering appliance that is in inside interface (sec-level 100), IP 172.16.10.24 and the user is on DMZ interface (sec-level 50) , IP 172.16.14.6. The appliance has a monitor NIC, with a SPAN on the switch to monitor web traffic requests passing through network.When it sees a request that it deems as "blocked", it sends a HTTP 302 redirect packet to the client/requesting IP address, with spoofed source address of the blocked resource,which redirects them to a "blocked" page on the appliance. e.g. client 172.16.14.6 requests yahoo.com (say this is IP 3.3.3.3 ) the Web filtering device sees that yahoo.com is blocked, and sends a HTTP 302 redirect packet of source 3.3.3.3
(spoofed IP) to 172.16.14.6 rather than the Source IP as itself .
The problem is that Firewall OBVIOUSLY will not let this traffic pass; reverse path forwarding and stateful connection will see that there is no TCP connection between 3.3.3.3 on the inside interface (where the appliance is) and where the user sits (DMZ interface), and thus drops the traffic.
Below are examples from the logs when performing tests:
Jun 04 2010 18:26:21 ASA1 : %ASA-6-106015: Deny TCP (no connection) from 63.216.54.114/80 to 172.16.14.6/1047 flags FIN PSH ACK on interface inside
Jun 04 2010 18:26:21 ASA1 : %ASA-6-106015: Deny TCP (no connection) from 172.16.14.6/1047 to 63.216.54.114/80 flags RST ACK on interface inside
Please let me know if we can achieve this .According to me we can accomplish this by first disabling the "ip verify reverse path" on the interface as well as we also need to do a Stateful Bypass ; however as ASA version is 8.0.5 we cannot do this via MPF .Hence please let me know if below is the correct method
Current Static NAT is as follows for DMZ users to speak to Inside IPs
static (inside,DMZ) 172.16.10.0 172.16.10.0 netmask 255.255.255.0
Modified Static NAT if we bypass statefulness of ASA
static (inside,DMZ) 172.16.10.0 172.16.10.0 netmask 255.255.255.0 norandomseq nailed
failover timeout -1
Please also let me know if this is not possible at all or if i need to add something in the above.
ā06-11-2010 02:35 PM
hi
please reply to my query . thanks
ā06-13-2010 09:53 PM
hi halijenn / pkampana / all
Please try to resolve my query , its urgent . thanks a lot !
ā06-15-2010 04:25 PM
hi
please resolve my query
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: