Due to some asymetric issues I need to allow some traffic through the ASA and bypass the stateful workings of the FW. I am unable to amend the routing due to other issues which is not ideal so this seems to be my only option for now. The ASA is running in transparent mode acting as an IPS.
I have the following (see below) and just applied it globally. I basically want connections coming into the FW from "any" to "10.44.129.34" and from "10.44.129.34" to "any" to be allowed. Doesn;t seem to be working though as ICMP traffic doesn't seem to be replying. I can see on the ASA logs the following
Built inbound ICMP connection for faddr 10.44.145.101/0 gaddr 10.44.129.34/1 laddr 10.44.129.34/1
Aug 26 2014 15:22:05: %ASA-4-313004: Denied ICMP type=0, from laddr 10.44.145.101 on interface ***VLAN_450_WAN_INSIDE*** to 10.44.129.34: no matching session
%ASA-4-313004: Denied ICMP type=0, from laddr 10.44.145.101 on interface ***VLAN_450_WAN_INSIDE*** to 10.44.129.34: no matching session
My current config is below.
access-list CV_BYPASS line 1 extended permit ip any host 10.44.129.34 (hitcnt=364) 0x4fb7318e access-list CV_BYPASS line 2 extended permit icmp any host 10.44.129.34 (hitcnt=0) 0x22bf3de0 access-list CV_BYPASS line 3 extended permit ip host 10.44.129.34 any (hitcnt=9) 0x5072ed00 access-list CV_BYPASS line 4 extended permit icmp host 10.44.129.34 any (hitcnt=0) 0xad56199a
policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map MY-IDS-POLICY class MY-IPS-CLASS ips promiscuous fail-open sensor vs0 policy-map global_policy class inspection_default inspect ip-options inspect icmp class tcp-traffic set connection advanced-options allow-probes class CV_BYPASS set connection timeout idle 0:10:00 set connection advanced-options tcp-state-bypass
! class-map CV_BYPASS match access-list CV_BYPASS class-map MY-IPS-CLASS match access-list SSM-IPS class-map tcp-traffic match access-list tcp-traffic class-map inspection_default match default-inspection-traffic
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...