Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

how would the firewall react ?

Hi all

We have a setup where the firewall is the default gateway for all clients, the firewall then routes some traffic to a wan router, the router is on the same lan as the internal interface, so hairpinning effectively

My question is, the return traffic from the router hits the lan on the way back basically bypassing the firewall

how does the firewall handle this?

would it result in lots of half open connections?

Cheers

Carl

10 REPLIES
VIP Green

how would the firewall react ?

Is there a reason why the router is not the default gateway?

Is the firewall connected to any other network or does it send all traffic to the router? If it sends all traffic to the router, why is in not placed inline?

This can create problems on the ASA as traffic from hosts will have different sequence numbers than what the ASA is expecting to see and the ASA may very well see this as an attack and start dropping packets.

You could configure PBR on the router forcing it to send all traffic to the ASA, but this is a very "dirty" way of doing things.  If at all possible I would place the ASA inline between the router and the LAN.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

how would the firewall react ?

Its a temporary setup whilst me migrate a site

We are just replicating the current site setup, just replacing old hardware, will change the toplogy in the next phase as we dont want to do too many changes at once. The idea is the wan router will hang off the DMZ interface very shortly.

There is currently a watchguard firewall, and packets seem to flow OK through at that at present

your thoughts ?

VIP Green

how would the firewall react ?

Ok, I just set up a quick lab an I managed to get ICMP to work with a similar kind of setup you are thinking of doing.  However I am not able to test using different protocols.  But I am thinking that if it doesn't work at first, then perhaps just setting up a TCP  bypass will do the trick.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

how would the firewall react ?

how would you do a tcp bypass ?

VIP Green

how would the firewall react ?

This is an example of TCP bypass configuration on the ASA:

access-list ACL-NAME extended permit tcp 10.10.10.0 255.255.255.0 any

class-map CLASS-NAME

  match access-list ACL-NAME

policy-map POLICY-NAME

  class CLASS-NAME

  set connection advanced-options tcp-state-bypass

service-policy POLICY-NAME outside

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

how would the firewall react ?

so is this effectively a packet filter?

Silver

how would the firewall react ?

Yes, but it is a very bad idea to leverage tcp-state-bypass here.  The design should be changed to avoid the asymmetric routing.

Sincerely,


David.

VIP Green

how would the firewall react ?

I wouldn't exactly say it is a filter as it is not filtering anything..per se... but instead we are telling the ASA to overlook certain criteria that would otherwise cause a packet to be dropped.

But I agre with David, and mention it further up, that the design should be changed.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
Silver

how would the firewall react ?

It can be a 'filter' if an ACL is applied to the interface for which the initial packets are ingressing.

Note with tcp-state-bypass we still check interface ACLs, but no longer perform inspections on the traffic nor any TCP specific checks (flags, Seq/ACK analysis, etc...)  Additionally, we cannot tear down the connection when it is finished because we are not tracking the TCP states.  Therefore, I would advise lowering the conn timeouts if you use this.

Sincerely,


David.

VIP Green

how would the firewall react ?

True that the interface ACLs are still checked, but it is not the TCP bypass that is doing the filtering, which is why I said that it is not filtering.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
242
Views
0
Helpful
10
Replies