Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
939
Views
0
Helpful
3
Replies

ASA 5505 packet flow

Go to solution
ankurs2008
Level 1
Level 1

‎08-10-2010 02:34 AM - edited ‎03-11-2019 11:23 AM

Hi halijenn / kusankar / Magnus

I have a query related to ASA 5505 Packet flow . I was encountering an issue the other day and below is the topology .Though the issue has been resolved i want to know the exact packet flow as to when the ASA will behave as a switchport and when it will behave as layer 3 .Below is the case for Asymmetric routing issue . My query is that when packet from the user (10.0.0.0) is going towards the 3825 , how exactly ASA treats it (as in the packet capture there were no request to ASA i.e no SYN packet ?  ) ; however when the FTP Server replies back , ASA will do a route lookup for 10.0.0.0 Network .Does this means that with 3825 and FTP Server being in the same VLAN , ASA will act as L2 Device for the initial ICMP Echo packet towards FTP Server and as L3 Device while replying back.Please correct me if i am wrong as i want to understand that though U Turning resolved this issue , i want to understand the exact packet  flow .

Internal --------CoreSw----3825-----ASA ----- Internet
LAN                                          |
10.0.0.0/16                                |
                                         FTP Server

1) FTP Server (172.30.10.22) and 3825 (connected to ASA Ethernet0/1) are in the same VLAN (vlan1 - nameif inside) . Cust not able to access ftp server from the inside of the ASA 10.0.22.0 network ; however able to ping from 3825 .The FTP server is connected to the e0/2 port of ASA , which is also in vlan 1.

2) I have put captures on ASA and saw only reply from FTP server, but ASA never saw ping request.The ping request was timing out . Please note that i was not able to initiate ICMP from FTP Server as the customer doesnot have access to it and it was not possible as it is in another location .

3) Thought it to be an asymmetric routing issue and gave the appropriate commands of U-Turning and the same worked

4) After that was able to ping FTP Server from the inside IP

Relevant config

1) FTP Server is publically visible for the outside world .

2)

interface Vlan1
nameif inside
security-level 100
ip address 172.30.10.21 255.255.255.248
ospf cost 10
ospf authentication null

3)

router ospf 1
network 172.30.10.21 255.255.255.255 area 0
area 0 range 172.30.10.16 255.255.255.248
log-adj-changes
default-information originate always

4) global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 <Next hop of ASA>

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎08-10-2010 06:39 AM

Hello Anukur,

You are correct in that you were experiencing Asymmetric routing. For the

communication between the 3825 and FTP server, the firewall was acting as a

Switchport. Both devices are connected at L2 level and can communicate

seamlessly (Also, you need to remember that 3825 and FTP server share same

IP address range). When you tried to communicate from your inside subnet

(10.0.0.0) to the FTP server, the packets hit 3825 first and the 3825

forwarded the packets directly to the FTP server at L2 (since 3825 has an

ARP entry for FTP server, it did delivered the packets at Layer 2). However,

the return traffic is the problem. The default gateway of the FTP server is

the firewalls VLAN 1 interface. When the FTP server was ready to transmit

return packet, it did a destination lookup and found that the destination is

not on its local subnet. So, as per routing rules, it had to send the

traffic to its default gateway. When the traffic hit the ASA's VLAN 1

interface, the ASA inspected the packet and concluded that this could be an

attack as it has not seen the original request, but it is seeing only

responses. So, it blocked the packet.

So, in a nutshell, the 5505 acts as a switch when communicating between

hosts on the same VLAN and source IP/destination IP are also on the same

VLAN. It will apply firewall rules when the destination originated for the

traffic from the VLAN is outside that VLAN and traffic hits ASA's interface

for routing.

Hope this helps.

Regards,

NT

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ankurs2008
Level 1
Level 1

‎08-10-2010 02:37 AM

Hi

In the architecture , please consider that FTP Server is connected to ASA and not 3825

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎08-10-2010 06:39 AM

Hello Anukur,

You are correct in that you were experiencing Asymmetric routing. For the

communication between the 3825 and FTP server, the firewall was acting as a

Switchport. Both devices are connected at L2 level and can communicate

seamlessly (Also, you need to remember that 3825 and FTP server share same

IP address range). When you tried to communicate from your inside subnet

(10.0.0.0) to the FTP server, the packets hit 3825 first and the 3825

forwarded the packets directly to the FTP server at L2 (since 3825 has an

ARP entry for FTP server, it did delivered the packets at Layer 2). However,

the return traffic is the problem. The default gateway of the FTP server is

the firewalls VLAN 1 interface. When the FTP server was ready to transmit

return packet, it did a destination lookup and found that the destination is

not on its local subnet. So, as per routing rules, it had to send the

traffic to its default gateway. When the traffic hit the ASA's VLAN 1

interface, the ASA inspected the packet and concluded that this could be an

attack as it has not seen the original request, but it is seeing only

responses. So, it blocked the packet.

So, in a nutshell, the 5505 acts as a switch when communicating between

hosts on the same VLAN and source IP/destination IP are also on the same

VLAN. It will apply firewall rules when the destination originated for the

traffic from the VLAN is outside that VLAN and traffic hits ASA's interface

for routing.

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
ankurs2008
Level 1
Level 1
In response to Nagaraja Thanthry

‎08-10-2010 08:53 AM

Hi NT

Thanks for the excellent explaintion !!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card