hi halijenn / experts
Hi i have a query related to IDS sending RST from inside interface of the Firewall . Please let me know if my understanding is correct
ASA is having Inside , DMZ and Outside interface , IDS is in Inside interface , user is in DMZ.
1) When a TCP Connection is intiated from DMZ interface to Outside , IDS sniffs that and sends RST
2) Switch port (say fa0/5) which is configured for Spanning and connected to the IDS Sensor sniffing interface should have following features
# Disabling “ learning” on the SPAN port, as Sensor is going to spoof the source IP and MAC address of the destination of the original packet as switch has to allow this through
# Allow input on the SPAN port so the switch will accept the RST packet, since normally they are only one way.
monitor session 1 source vlan 20 rx
monitor session 1 destination int fa0/5 ingress vlan 20
Please let me know if my understanding over here is correct
Now my query is that
a) when user send TCP Packet to the Outside , IDS sniffs and discards that packet due to its configuration .Hence , to whom IDS sends RST ideally ? (whether to source or destn ?).What will be the Source IP and Destination IP of that RST .According to me it will send RST to the destination .If it sends RST to the destination , what it will intimate to the User (DMZ) ?
b) Do we need to have access rules configured in firewall to allow that RST to be sent across to the destination (Considering it sends RST to the destination)
c) Will firewall check its state table and will try to deny that RST packet in any case . The reason is that i am getting the following error when user 172.16.10.9 is sending a packet outside , IDS is not able to send RST and user is able to send and receive the web page correctly (which ideally should not happen)
1.Jun 19 2010 19:07:11 COLASA : %ASA-6-106015: Deny TCP (no connection) from 184.108.40.206/80 to 172.16.10.9/1047 flags FIN PSH ACK on interface inside
This log says that IDS (after intercepting the packet received from source) is trying to build new conn frm Inside to DMZ to reply to the user and in this process it makes it source to 220.127.116.11 (that of destn) but somehow getting denied.
2.Jun 19 2010 19:07:11 COLASA1 : %ASA-6-106015: Deny TCP (no connection) from 172.16.10.9/1047 to 18.104.22.168/80 flags RST ACK on interface inside
This log says that IDS is trying to send RST to the destination (with source as 172.16.10.9 now) however something in firewall is preventing to do so
Please guide me how to proceed