ASA 5505 packet flow

Answered Question
Aug 10th, 2010

Hi halijenn / kusankar / Magnus


I have a query related to ASA 5505 Packet flow . I was encountering an issue the other day and below is the topology .Though the issue has been resolved i want to know the exact packet flow as to when the ASA will behave as a switchport and when it will behave as layer 3 .Below is the case for Asymmetric routing issue . My query is that when packet from the user (10.0.0.0) is going towards the 3825 , how exactly ASA treats it (as in the packet capture there were no request to ASA i.e no SYN packet ?  ) ; however when the FTP Server replies back , ASA will do a route lookup for 10.0.0.0 Network .Does this means that with 3825 and FTP Server being in the same VLAN , ASA will act as L2 Device for the initial ICMP Echo packet towards FTP Server and as L3 Device while replying back.Please correct me if i am wrong as i want to understand that though U Turning resolved this issue , i want to understand the exact packet  flow .


Internal --------CoreSw----3825-----ASA ----- Internet
LAN                                          |
10.0.0.0/16                                |
                                         FTP Server


1) FTP Server (172.30.10.22) and 3825 (connected to ASA Ethernet0/1) are in the same VLAN (vlan1 - nameif inside) . Cust not able to access ftp server from the inside of the ASA 10.0.22.0 network ; however able to ping from 3825 .The FTP server is connected to the e0/2 port of ASA , which is also in vlan 1.


2) I have put captures on ASA and saw only reply from FTP server, but ASA never saw ping request.The ping request was timing out . Please note that i was not able to initiate ICMP from FTP Server as the customer doesnot have access to it and it was not possible as it is in another location .


3) Thought it to be an asymmetric routing issue and gave the appropriate commands of U-Turning and the same worked


4) After that was able to ping FTP Server from the inside IP


Relevant config


1) FTP Server is publically visible for the outside world .


2)

interface Vlan1
nameif inside
security-level 100
ip address 172.30.10.21 255.255.255.248
ospf cost 10
ospf authentication null

3)

router ospf 1
network 172.30.10.21 255.255.255.255 area 0
area 0 range 172.30.10.16 255.255.255.248
log-adj-changes
default-information originate always


4) global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 <Next hop of ASA>

Correct Answer by Nagaraja Thanthry about 6 years 6 months ago

Hello Anukur,


You are correct in that you were experiencing Asymmetric routing. For the

communication between the 3825 and FTP server, the firewall was acting as a

Switchport. Both devices are connected at L2 level and can communicate

seamlessly (Also, you need to remember that 3825 and FTP server share same

IP address range). When you tried to communicate from your inside subnet

(10.0.0.0) to the FTP server, the packets hit 3825 first and the 3825

forwarded the packets directly to the FTP server at L2 (since 3825 has an

ARP entry for FTP server, it did delivered the packets at Layer 2). However,

the return traffic is the problem. The default gateway of the FTP server is

the firewalls VLAN 1 interface. When the FTP server was ready to transmit

return packet, it did a destination lookup and found that the destination is

not on its local subnet. So, as per routing rules, it had to send the

traffic to its default gateway. When the traffic hit the ASA's VLAN 1

interface, the ASA inspected the packet and concluded that this could be an

attack as it has not seen the original request, but it is seeing only

responses. So, it blocked the packet.


So, in a nutshell, the 5505 acts as a switch when communicating between

hosts on the same VLAN and source IP/destination IP are also on the same

VLAN. It will apply firewall rules when the destination originated for the

traffic from the VLAN is outside that VLAN and traffic hits ASA's interface

for routing.


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ankurs2008 Tue, 08/10/2010 - 02:37

Hi


In the architecture , please consider that FTP Server is connected to ASA and not 3825

Correct Answer
Nagaraja Thanthry Tue, 08/10/2010 - 06:39

Hello Anukur,


You are correct in that you were experiencing Asymmetric routing. For the

communication between the 3825 and FTP server, the firewall was acting as a

Switchport. Both devices are connected at L2 level and can communicate

seamlessly (Also, you need to remember that 3825 and FTP server share same

IP address range). When you tried to communicate from your inside subnet

(10.0.0.0) to the FTP server, the packets hit 3825 first and the 3825

forwarded the packets directly to the FTP server at L2 (since 3825 has an

ARP entry for FTP server, it did delivered the packets at Layer 2). However,

the return traffic is the problem. The default gateway of the FTP server is

the firewalls VLAN 1 interface. When the FTP server was ready to transmit

return packet, it did a destination lookup and found that the destination is

not on its local subnet. So, as per routing rules, it had to send the

traffic to its default gateway. When the traffic hit the ASA's VLAN 1

interface, the ASA inspected the packet and concluded that this could be an

attack as it has not seen the original request, but it is seeing only

responses. So, it blocked the packet.


So, in a nutshell, the 5505 acts as a switch when communicating between

hosts on the same VLAN and source IP/destination IP are also on the same

VLAN. It will apply firewall rules when the destination originated for the

traffic from the VLAN is outside that VLAN and traffic hits ASA's interface

for routing.


Hope this helps.


Regards,


NT

Actions

This Discussion