02-19-2014 01:31 AM - edited 03-11-2019 08:47 PM
Hi all
We have a setup where the firewall is the default gateway for all clients, the firewall then routes some traffic to a wan router, the router is on the same lan as the internal interface, so hairpinning effectively
My question is, the return traffic from the router hits the lan on the way back basically bypassing the firewall
how does the firewall handle this?
would it result in lots of half open connections?
Cheers
Carl
02-19-2014 03:23 AM
Is there a reason why the router is not the default gateway?
Is the firewall connected to any other network or does it send all traffic to the router? If it sends all traffic to the router, why is in not placed inline?
This can create problems on the ASA as traffic from hosts will have different sequence numbers than what the ASA is expecting to see and the ASA may very well see this as an attack and start dropping packets.
You could configure PBR on the router forcing it to send all traffic to the ASA, but this is a very "dirty" way of doing things. If at all possible I would place the ASA inline between the router and the LAN.
--
Please remember to rate and select a correct answer
02-19-2014 03:28 AM
Its a temporary setup whilst me migrate a site
We are just replicating the current site setup, just replacing old hardware, will change the toplogy in the next phase as we dont want to do too many changes at once. The idea is the wan router will hang off the DMZ interface very shortly.
There is currently a watchguard firewall, and packets seem to flow OK through at that at present
your thoughts ?
02-19-2014 04:00 AM
Ok, I just set up a quick lab an I managed to get ICMP to work with a similar kind of setup you are thinking of doing. However I am not able to test using different protocols. But I am thinking that if it doesn't work at first, then perhaps just setting up a TCP bypass will do the trick.
--
Please remember to rate and select a correct answer
02-19-2014 05:29 AM
how would you do a tcp bypass ?
02-19-2014 05:38 AM
This is an example of TCP bypass configuration on the ASA:
access-list ACL-NAME extended permit tcp 10.10.10.0 255.255.255.0 any
class-map CLASS-NAME
match access-list ACL-NAME
policy-map POLICY-NAME
class CLASS-NAME
set connection advanced-options tcp-state-bypass
service-policy POLICY-NAME outside
--
Please remember to rate and select a correct answer
02-19-2014 05:49 AM
so is this effectively a packet filter?
02-19-2014 05:53 AM
Yes, but it is a very bad idea to leverage tcp-state-bypass here. The design should be changed to avoid the asymmetric routing.
Sincerely,
David.
02-19-2014 06:04 AM
I wouldn't exactly say it is a filter as it is not filtering anything..per se... but instead we are telling the ASA to overlook certain criteria that would otherwise cause a packet to be dropped.
But I agre with David, and mention it further up, that the design should be changed.
--
Please remember to rate and select a correct answer
02-19-2014 06:12 AM
It can be a 'filter' if an ACL is applied to the interface for which the initial packets are ingressing.
Note with tcp-state-bypass we still check interface ACLs, but no longer perform inspections on the traffic nor any TCP specific checks (flags, Seq/ACK analysis, etc...) Additionally, we cannot tear down the connection when it is finished because we are not tracking the TCP states. Therefore, I would advise lowering the conn timeouts if you use this.
Sincerely,
David.
02-19-2014 06:30 AM
True that the interface ACLs are still checked, but it is not the TCP bypass that is doing the filtering, which is why I said that it is not filtering.
--
Please remember to rate and select a correct answer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: