asymetric lan routing through Firewall

Unanswered Question
Oct 4th, 2010

Hi,

This is ver complex problem.

Firewall      Router1.1.1.1----------1.1.1.2

10.1.1.1    10.1.1.3

'                         '

'                         '

'                         '

--------------------

          '

          '

          '

PC( 10.1.1.100) with gateway 10.1.1.2

scenario

PC wants to send traffic to 1.1.1.2

PC(10.1.1.100)-->FW(10.1.1.1)--> Router(10.1.1.3)-->1.1.1.2

Return traffic

1.1.1.2 --> Router(1.1.1.1)--> 10.1.1.100 (through router using direct interface without going through firewall.

As the return traffic didn't go through firewall, so tcp handshake not completed so failied. It seems when we built the session through firewall, it adds something to packet and on return revert back. so connections built through firewall but return traffic reaches to source without going through firewall get drop at source as its different packet.

Same thing happens when 1.1.1.2 initiates session to 10.1.1.100, initiated traffic goes to pc without firewall and when pc replies to gateway firewall, firewall dropped as initiated session not in list.

Is there any solution for this problem. it seems very simple but a lot of complexity involved.

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Mon, 10/04/2010 - 03:50

There are 2 options that you can configure:

Option 1) The more secure option --> change the PC default gateway from the ASA to the router. This will ensure that no assymmetric routing happens within your network. Then if there are any specific routes that needs to be sent towards the ASA firewall, you can configure specific routing on the router to point towards the ASA IP 10.1.1.1

Option 2) The least secure option --> configure TCP bypass on ASA. Please find the following URL for your reference on the configuration:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Hope that helps.

Actions

This Discussion