Can I bypass ASA anti-spoofing??

miwitte · ‎09-25-2008

I am trying to setup a wireless guest access for a customer that has an asa 5520 v 8.0(I think) In any case we have everything working and the wireless is going out to the internet fine. The issue we are seeing is that when they try to access their websites from a the guest wireless, they get the external IP address and I am assuming because of antispoofing, it is not allowing the packet to come back in. Is there any way around this? I know in the Checkpoint you can set up a exclusion to do this.

suschoud · ‎09-26-2008

when they try to access their websites from a the guest wireless"

I did not get this part.

On which interface is the webserver.

Is it on the same interface of f/w where the clinets are.

If so,you need to setup dns doctoring.

If it's on some interface other then internet,you would need to setup destination nat.

Regards,

Sushil

miwitte · ‎09-26-2008

it has 4 interfaces in use, internet,internal,wireless guest, and dmz which is where the webs are. I am assuming that when the wireless traffic goes out the internet port and tries to come bacck in the antispoofing drops it. the destination nat thing sounds familiar. if you point me to a link or something it would be appreciated.

suschoud · ‎09-26-2008

Let's say you are in dmz and want to access server on inside

you would need :

static (inside,dmz)

With this static,SYN packet rather then going to outside,will go directly to server on inside.

Above is called D-NAT.

Please rate if helpful.

Regards,

Sushil

abinjola · ‎09-26-2008

Is this your scenario..?

webserver :- In DMZ

Clients : In Wireless guest (WG)with higher security level than DMZ)

So,if you wish to access dmz server using Public IP from clients in WG then you need DNAT

Static (dmz,wg) ---->This command makes sure people from wg are able to aceess the server by public ip

nat(wg) 1 0 0

global (dmz) 1 interface

SERVER AND USER ARE IN DIFFERENT NETWORKS

INTERNET

|

PIX-----dmz----SERVER

|

WG (higher sec)

|

USER/client

We would access the server in DMZ, from client in WG, with the public IP by using the

concept called Destination NAT (DNAT)

static (dmz,WG) ---->This command makes sure people from are able to aceess the server by public ip

It makes that public ip to virtually float on inside of the Pix.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918

6a0080094aee.shtml

Let me know if this helps !

ray_stone · ‎09-27-2008

Yes!! you are correct..

miwitte · ‎09-27-2008

That sounds like something I had done in the past on a old pix I just couldn't remember it. So it would appear that is my only option then? The checkpoint had a option of specifying what to bypass with antispoofing I just could not find anything with a pix/ASA to do that. Also the DNS doctoring would do about the same thing I just wouldn't have to create all the NAT rules but rather create alias commands to convert the DNS. We have gotten around this somewhat by using the DMZ DNS servers for the wireless clients and allowing the wireless to access these servers by the DMZ addressing. The real issue is that they have hundereds of subdomains that are not on the DMZ DNS server but are only on the internet DNS server.

abinjola · ‎09-29-2008

correct..as if now you have to live with the Antispoof/Stateful Inspection feature of the FW, though a feature request has been filed about disabling the ABR/statefulcheck

hth

Ashish !