cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
900
Views
0
Helpful
10
Replies

how would the firewall react ?

carl_townshend
Spotlight
Spotlight

Hi all

We have a setup where the firewall is the default gateway for all clients, the firewall then routes some traffic to a wan router, the router is on the same lan as the internal interface, so hairpinning effectively

My question is, the return traffic from the router hits the lan on the way back basically bypassing the firewall

how does the firewall handle this?

would it result in lots of half open connections?

Cheers

Carl

10 Replies 10

Is there a reason why the router is not the default gateway?

Is the firewall connected to any other network or does it send all traffic to the router? If it sends all traffic to the router, why is in not placed inline?

This can create problems on the ASA as traffic from hosts will have different sequence numbers than what the ASA is expecting to see and the ASA may very well see this as an attack and start dropping packets.

You could configure PBR on the router forcing it to send all traffic to the ASA, but this is a very "dirty" way of doing things.  If at all possible I would place the ASA inline between the router and the LAN.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Its a temporary setup whilst me migrate a site

We are just replicating the current site setup, just replacing old hardware, will change the toplogy in the next phase as we dont want to do too many changes at once. The idea is the wan router will hang off the DMZ interface very shortly.

There is currently a watchguard firewall, and packets seem to flow OK through at that at present

your thoughts ?

Ok, I just set up a quick lab an I managed to get ICMP to work with a similar kind of setup you are thinking of doing.  However I am not able to test using different protocols.  But I am thinking that if it doesn't work at first, then perhaps just setting up a TCP  bypass will do the trick.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

how would you do a tcp bypass ?

This is an example of TCP bypass configuration on the ASA:

access-list ACL-NAME extended permit tcp 10.10.10.0 255.255.255.0 any

class-map CLASS-NAME

  match access-list ACL-NAME

policy-map POLICY-NAME

  class CLASS-NAME

  set connection advanced-options tcp-state-bypass

service-policy POLICY-NAME outside

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

so is this effectively a packet filter?

Yes, but it is a very bad idea to leverage tcp-state-bypass here.  The design should be changed to avoid the asymmetric routing.

Sincerely,


David.

I wouldn't exactly say it is a filter as it is not filtering anything..per se... but instead we are telling the ASA to overlook certain criteria that would otherwise cause a packet to be dropped.

But I agre with David, and mention it further up, that the design should be changed.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

It can be a 'filter' if an ACL is applied to the interface for which the initial packets are ingressing.

Note with tcp-state-bypass we still check interface ACLs, but no longer perform inspections on the traffic nor any TCP specific checks (flags, Seq/ACK analysis, etc...)  Additionally, we cannot tear down the connection when it is finished because we are not tracking the TCP states.  Therefore, I would advise lowering the conn timeouts if you use this.

Sincerely,


David.

True that the interface ACLs are still checked, but it is not the TCP bypass that is doing the filtering, which is why I said that it is not filtering.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: