Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Can I bypass ASA anti-spoofing??

I am trying to setup a wireless guest access for a customer that has an asa 5520 v 8.0(I think) In any case we have everything working and the wireless is going out to the internet fine. The issue we are seeing is that when they try to access their websites from a the guest wireless, they get the external IP address and I am assuming because of antispoofing, it is not allowing the packet to come back in. Is there any way around this? I know in the Checkpoint you can set up a exclusion to do this.

7 REPLIES
Cisco Employee

Re: Can I bypass ASA anti-spoofing??

when they try to access their websites from a the guest wireless"

I did not get this part.

On which interface is the webserver.

Is it on the same interface of f/w where the clinets are.

If so,you need to setup dns doctoring.

If it's on some interface other then internet,you would need to setup destination nat.

Regards,

Sushil

Community Member

Re: Can I bypass ASA anti-spoofing??

it has 4 interfaces in use, internet,internal,wireless guest, and dmz which is where the webs are. I am assuming that when the wireless traffic goes out the internet port and tries to come bacck in the antispoofing drops it. the destination nat thing sounds familiar. if you point me to a link or something it would be appreciated.

Cisco Employee

Re: Can I bypass ASA anti-spoofing??

Let's say you are in dmz and want to access server on inside

you would need :

static (inside,dmz)

With this static,SYN packet rather then going to outside,will go directly to server on inside.

Above is called D-NAT.

Please rate if helpful.

Regards,

Sushil

Cisco Employee

Re: Can I bypass ASA anti-spoofing??

Is this your scenario..?

webserver :- In DMZ

Clients : In Wireless guest (WG)with higher security level than DMZ)

So,if you wish to access dmz server using Public IP from clients in WG then you need DNAT

Static (dmz,wg) ---->This command makes sure people from wg are able to aceess the server by public ip

nat(wg) 1 0 0

global (dmz) 1 interface

SERVER AND USER ARE IN DIFFERENT NETWORKS

INTERNET

|

|

|

PIX-----dmz----SERVER

|

WG (higher sec)

|

|

USER/client

We would access the server in DMZ, from client in WG, with the public IP by using the

concept called Destination NAT (DNAT)

static (dmz,WG) ---->This command makes sure people from are able to aceess the server by public ip

It makes that public ip to virtually float on inside of the Pix.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918

6a0080094aee.shtml

Let me know if this helps !

Community Member

Re: Can I bypass ASA anti-spoofing??

Yes!! you are correct..

Community Member

Re: Can I bypass ASA anti-spoofing??

That sounds like something I had done in the past on a old pix I just couldn't remember it. So it would appear that is my only option then? The checkpoint had a option of specifying what to bypass with antispoofing I just could not find anything with a pix/ASA to do that. Also the DNS doctoring would do about the same thing I just wouldn't have to create all the NAT rules but rather create alias commands to convert the DNS. We have gotten around this somewhat by using the DMZ DNS servers for the wireless clients and allowing the wireless to access these servers by the DMZ addressing. The real issue is that they have hundereds of subdomains that are not on the DMZ DNS server but are only on the internet DNS server.

Cisco Employee

Re: Can I bypass ASA anti-spoofing??

correct..as if now you have to live with the Antispoof/Stateful Inspection feature of the FW, though a feature request has been filed about disabling the ABR/statefulcheck

hth

Ashish !

1160
Views
5
Helpful
7
Replies
CreatePlease to create content