topic Re: TCP Bypass not working in Network Security

TCP Bypass not working

markus.bock — Sat, 10 Oct 2020 16:00:04 GMT

Hello,

I have a problem with asymetric routing for a host in our network. A connection comming from www to the host is going through a third party utm appliance to the host 10.10.10.99. The default gateway is a cisco asa 10.10.10.1. In the log of the asa i can see the message

Deny TCP (no connection) from 10.10.10.99/3389 to 80.122.157.55/34334 flags SYN ACK on interface NET_10.10.10.0_Inside

This shows me a problem with asymmetric routing. I cannot change the routing and access from www to the host, I would like to configure TYP Bypass for this host but I don't get it to work.

I have configured the following policy

access-list tcp_bypass extended permit tcp host 10.10.10.99 any
class-map tcp_bypass
match access-list tcp_bypass
policy-map tcp_bypass_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
service-policy tcp_bypass_policy interface NET_10.10.10.0_Inside

But when I try to access the host I still get the log entries from above.

Can anybody please help me to find the problem please?

Re: TCP Bypass not working

Francesco Molino — Sun, 11 Oct 2020 02:29:58 GMT

After enabling the tcp bypass policy, are you still getting the same error?

I don't know your real design but have you checked if PBR would be a better solution to forward back this traffic to the other UTM from that particular host?

Re: TCP Bypass not working

markus.bock — Sun, 11 Oct 2020 06:47:47 GMT

Yes, I get the same log entry.

Good idea with PBR. I will try it

Thanks and kind regards

Re: TCP Bypass not working

markus.bock — Sun, 11 Oct 2020 10:03:08 GMT

PBR is not the solution for my problem because the ASA is out internal gateway for all networks.

I need the tcp-bypass working but I don't understand why it is not working

Re: TCP Bypass not working

Aref Alsouqi — Sun, 11 Oct 2020 17:48:02 GMT

The destination IP on the TCP bypass ACL should be the remote host, is that what you configured? Also, you would need to apply the same-security-traffic permit intra-interface command to allow the traffic to enter and exit out of the same interface.

Also, please a look at this post of mine about TCP bypass on the ASA:

https://bluenetsec.com/asa-tcp-state-bypass/

Re: TCP Bypass not working

markus.bock — Sun, 11 Oct 2020 18:37:40 GMT

As Destination I have configzred ANY. The source host ist 10.10.10.99 and same-security-traffic permit intra-interface is set.

As service I have configured TCP because of the dynamic ports.

Re: TCP Bypass not working

MHM Cisco World — Mon, 12 Oct 2020 13:25:32 GMT

make Host initiate the traffic toward the ASA outside
OR
make inside with different VLAN,
one for UTM and other for ASA
and make UTM the default gateway.

last thing ASA not support PRB

Re: TCP Bypass not working

MHM Cisco World — Mon, 12 Oct 2020 18:14:21 GMT

Does it solve or NOT?
same-security-traffic is for the traffic for same interface,
here the traffic is enter via OUTSIDE of UTM and exit from INSIDE of ASA.
I check the config can you test the following,
change the real IP address with Mapped address in Extended ACL.

Re: TCP Bypass not working

Aref Alsouqi — Mon, 12 Oct 2020 20:29:17 GMT

Can you please share the topology along with the IP addresses?, I think the 10.10.10.99 should be the destination host on the ACL, not the source, but if you can share the topology I can get my head around it better.

Re: TCP Bypass not working

Marius Gunnerud — Tue, 13 Oct 2020 08:58:28 GMT

Interesting. Have you confirmed that routing towards internet and NAT for 10.10.10.99 are in place on the ASA?

As Aref has mentioned, would be good to see a topology diagram with an explanation of expected traffic flow.

Re: TCP Bypass not working

markus.bock — Tue, 13 Oct 2020 09:17:58 GMT

Attached is the network diagram.

I have tested it with a server in a other vlan with the same result.

Re: TCP Bypass not working

Marius Gunnerud — Tue, 13 Oct 2020 09:29:13 GMT

could you run a packet tracer on the ASA to verify we are hitting the TCP bypass configuration.

Re: TCP Bypass not working

Aref Alsouqi — Tue, 13 Oct 2020 16:20:41 GMT

I think in this case you would need tcp bypass to be implemented on both the internal and external firewall.

Re: TCP Bypass not working

markus.bock — Tue, 13 Oct 2020 20:12:25 GMT

Of course do I need it on the internal and on the external firewall. But tcp bypass needs to work ion the internal at first and this is the problem

I'll do a paket capture tomorow

Thanks

Re: TCP Bypass not working

Aref Alsouqi — Wed, 14 Oct 2020 06:41:15 GMT

Try to add this on the external firewall:

access-list tcp_bypass extended permit tcp any host 10.10.10.99
access-list tcp_bypass extended permit tcp host 10.10.10.99 any

and this on the internal:

access-list tcp_bypass extended permit tcp host 10.10.10.99 any

As the ASA would create the state entries tied to the interfaces (unless you configure interfaces zones) the traffic leaving the external firewall out of the DMZ interface would not match the return traffic via the transfer interface, hence it would be dropped. This is why I think you need two rules on the tcp_bypass ACL. One to match the traffic leaving its DMZ interface towards the host 10.10.10.99, and another to match the received traffic from the host 10.10.10.99 on transfer interface. However, for the internal firewall, it would only have one possibility to see the host 10.10.10.99 traffic via VLAN10 interface, therefore, we would need only rule on the internal firewall.

Re: TCP Bypass not working

Marius Gunnerud — Wed, 14 Oct 2020 09:25:34 GMT

Could you please verify if traffic is actually matching your ACL that is used for TCP bypass. This should be visible in a packet tracer

Re: TCP Bypass not working

MHM Cisco World — Wed, 14 Oct 2020 14:29:44 GMT

try this

1-config the mapped IP not real IP in ACL extended tcp_bypass.

2- remove any and config outside subnet of ASA.

try this solution I think this is solution for your issue.