We are having ASA 8.0(5) .The issue is that there is a Web filtering appliance that is in inside interface (sec-level 100), IP 172.16.10.24 and the user is on DMZ interface (sec-level 50) , IP 172.16.14.6. The appliance has a monitor NIC, with a SPAN on the switch to monitor web traffic requests passing through network.When it sees a request that it deems as "blocked", it sends a HTTP 302 redirect packet to the client/requesting IP address, with spoofed source address of the blocked resource,which redirects them to a "blocked" page on the appliance. e.g. client 172.16.14.6 requests yahoo.com (say this is IP 220.127.116.11 ) the Web filtering device sees that yahoo.com is blocked, and sends a HTTP 302 redirect packet of source 18.104.22.168
(spoofed IP) to 172.16.14.6 rather than the Source IP as itself .
The problem is that Firewall OBVIOUSLY will not let this traffic pass; reverse path forwarding and stateful connection will see that there is no TCP connection between 22.214.171.124 on the inside interface (where the appliance is) and where the user sits (DMZ interface), and thus drops the traffic.
Below are examples from the logs when performing tests:
Jun 04 2010 18:26:21 ASA1 : %ASA-6-106015: Deny TCP (no connection) from 126.96.36.199/80 to 172.16.14.6/1047 flags FIN PSH ACK on interface inside
Jun 04 2010 18:26:21 ASA1 : %ASA-6-106015: Deny TCP (no connection) from 172.16.14.6/1047 to 188.8.131.52/80 flags RST ACK on interface inside
Please let me know if we can achieve this .According to me we can accomplish this by first disabling the "ip verify reverse path" on the interface as well as we also need to do a Stateful Bypass ; however as ASA version is 8.0.5 we cannot do this via MPF .Hence please let me know if below is the correct method
Current Static NAT is as follows for DMZ users to speak to Inside IPs
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...