Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

ASA Stateful Bypass

Hi All,

Due to some asymetric issues I need to allow some traffic through the ASA and bypass the stateful workings of the FW. I am unable to amend the routing due to other issues which is not ideal so this seems to be my only option for now. The ASA is running in transparent mode acting as an IPS.

I have the following (see below) and just applied it globally. I basically want connections coming into the FW  from "any" to "10.44.129.34" and from "10.44.129.34" to "any" to be allowed. Doesn;t seem to be working though as ICMP traffic doesn't seem to be replying. I can see on the ASA logs the following

 

Built inbound ICMP connection for faddr 10.44.145.101/0 gaddr 10.44.129.34/1 laddr 10.44.129.34/1

Aug 26 2014 15:22:05: %ASA-4-313004: Denied ICMP type=0, from laddr 10.44.145.101 on interface ***VLAN_450_WAN_INSIDE*** to 10.44.129.34: no matching session

 

%ASA-4-313004: Denied ICMP type=0, from laddr 10.44.145.101 on interface ***VLAN_450_WAN_INSIDE*** to 10.44.129.34: no matching session

 

My current config is below.


access-list CV_BYPASS line 1 extended permit ip any host 10.44.129.34 (hitcnt=364) 0x4fb7318e
access-list CV_BYPASS line 2 extended permit icmp any host 10.44.129.34 (hitcnt=0) 0x22bf3de0
access-list CV_BYPASS line 3 extended permit ip host 10.44.129.34 any (hitcnt=9) 0x5072ed00
access-list CV_BYPASS line 4 extended permit icmp host 10.44.129.34 any (hitcnt=0) 0xad56199a

 

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map MY-IDS-POLICY
 class MY-IPS-CLASS
  ips promiscuous fail-open sensor vs0
policy-map global_policy
 class inspection_default
  inspect ip-options
  inspect icmp
 class tcp-traffic
  set connection advanced-options allow-probes
 class CV_BYPASS
  set connection timeout idle 0:10:00
  set connection advanced-options tcp-state-bypass


!
class-map CV_BYPASS
 match access-list CV_BYPASS
class-map MY-IPS-CLASS
 match access-list SSM-IPS
class-map tcp-traffic
 match access-list tcp-traffic
class-map inspection_default
 match default-inspection-traffic

 

Thanks

  • Firewalling
165
Views
0
Helpful
0
Replies
This widget could not be displayed.