https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426253#M269375 <HTML><HEAD></HEAD><BODY><P>Yes, but it is a <STRONG>very bad idea</STRONG> to leverage tcp-state-bypass here.&nbsp; The design should be changed to avoid the asymmetric routing.</P><P></P><P>Sincerely,</P><P><BR />David.</P></BODY></HTML> Wed, 19 Feb 2014 13:53:33 GMT David White 2014-02-19T13:53:33Z https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426246#M269355 <P>Hi all</P><P></P><P>We have a setup where the firewall is the default gateway for all clients, the firewall then routes some traffic to a wan router, the router is on the same lan as the internal interface, so hairpinning effectively</P><P></P><P>My question is, the return traffic from the router hits the lan on the way back basically bypassing the firewall</P><P></P><P>how does the firewall handle this?</P><P></P><P>would it result in lots of half open connections?</P><P></P><P>Cheers</P><P></P><P>Carl</P> Tue, 12 Mar 2019 03:47:19 GMT https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426246#M269355 carl_townshend 2019-03-12T03:47:19Z https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426247#M269360 <HTML><HEAD></HEAD><BODY><P>Is there a reason why the router is not the default gateway?</P><P>Is the firewall connected to any other network or does it send all traffic to the router? If it sends all traffic to the router, why is in not placed inline?</P><P></P><P>This can create problems on the ASA as traffic from hosts will have different sequence numbers than what the ASA is expecting to see and the ASA may very well see this as an attack and start dropping packets.</P><P></P><P>You could configure PBR on the router forcing it to send all traffic to the ASA, but this is a very "dirty" way of doing things.&nbsp; If at all possible I would place the ASA inline between the router and the LAN.</P><P></P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Wed, 19 Feb 2014 11:23:07 GMT https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426247#M269360 Marius Gunnerud 2014-02-19T11:23:07Z https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426248#M269364 <HTML><HEAD></HEAD><BODY><P> Its a temporary setup whilst me migrate a site</P><P></P><P>We are just replicating the current site setup, just replacing old hardware, will change the toplogy in the next phase as we dont want to do too many changes at once. The idea is the wan router will hang off the DMZ interface very shortly.</P><P></P><P>There is currently a watchguard firewall, and packets seem to flow OK through at that at present</P><P></P><P>your thoughts ?</P></BODY></HTML> Wed, 19 Feb 2014 11:28:35 GMT https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426248#M269364 carl_townshend 2014-02-19T11:28:35Z https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426249#M269367 <HTML><HEAD></HEAD><BODY><P>Ok, I just set up a quick lab an I managed to get ICMP to work with a similar kind of setup you are thinking of doing.&nbsp; However I am not able to test using different protocols.&nbsp; But I am thinking that if it doesn't work at first, then perhaps just setting up a TCP&nbsp; bypass will do the trick.</P><P></P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Wed, 19 Feb 2014 12:00:07 GMT https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426249#M269367 Marius Gunnerud 2014-02-19T12:00:07Z https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426250#M269369 <HTML><HEAD></HEAD><BODY><P> how would you do a tcp bypass ?</P></BODY></HTML> Wed, 19 Feb 2014 13:29:34 GMT https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426250#M269369 carl_townshend 2014-02-19T13:29:34Z https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426251#M269372 <HTML><HEAD></HEAD><BODY><P>This is an example of TCP bypass configuration on the ASA:</P><P></P><P><EM><STRONG>access-list ACL-NAME extended permit tcp 10.10.10.0 255.255.255.0 any</STRONG></EM></P><P></P><P><EM><STRONG>class-map CLASS-NAME</STRONG></EM></P><P><EM><STRONG>&nbsp; match access-list ACL-NAME</STRONG></EM></P><P></P><P><EM><STRONG>policy-map POLICY-NAME</STRONG></EM></P><P><EM><STRONG>&nbsp; class CLASS-NAME</STRONG></EM></P><P><EM><STRONG>&nbsp; set connection advanced-options tcp-state-bypass</STRONG></EM></P><P></P><P><EM><STRONG>service-policy POLICY-NAME outside</STRONG></EM></P><DIV> </DIV><P></P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Wed, 19 Feb 2014 13:38:29 GMT https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426251#M269372 Marius Gunnerud 2014-02-19T13:38:29Z https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426252#M269373 <HTML><HEAD></HEAD><BODY><P> so is this effectively a packet filter?</P></BODY></HTML> Wed, 19 Feb 2014 13:49:35 GMT https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426252#M269373 carl_townshend 2014-02-19T13:49:35Z https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426253#M269375 <HTML><HEAD></HEAD><BODY><P>Yes, but it is a <STRONG>very bad idea</STRONG> to leverage tcp-state-bypass here.&nbsp; The design should be changed to avoid the asymmetric routing.</P><P></P><P>Sincerely,</P><P><BR />David.</P></BODY></HTML> Wed, 19 Feb 2014 13:53:33 GMT https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426253#M269375 David White 2014-02-19T13:53:33Z https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426254#M269377 <HTML><HEAD></HEAD><BODY><P>I wouldn't exactly say it is a filter as it is not filtering anything..per se... but instead we are telling the ASA to overlook certain criteria that would otherwise cause a packet to be dropped.</P><P></P><P>But I agre with David, and mention it further up, that the design should be changed.</P><P></P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Wed, 19 Feb 2014 14:04:33 GMT https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426254#M269377 Marius Gunnerud 2014-02-19T14:04:33Z https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426255#M269378 <HTML><HEAD></HEAD><BODY><P>It can be a 'filter' if an ACL is applied to the interface for which the initial packets are ingressing.</P><P>Note with tcp-state-bypass we still check interface ACLs, but no longer perform inspections on the traffic nor any TCP specific checks (flags, Seq/ACK analysis, etc...)&nbsp; Additionally, we cannot tear down the connection when it is finished because we are not tracking the TCP states.&nbsp; Therefore, I would advise lowering the conn timeouts if you use this.</P><P></P><P>Sincerely,</P><P><BR />David.</P></BODY></HTML> Wed, 19 Feb 2014 14:12:56 GMT https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426255#M269378 David White 2014-02-19T14:12:56Z https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426256#M269381 <HTML><HEAD></HEAD><BODY><P>True that the interface ACLs are still checked, but it is not the TCP bypass that is doing the filtering, which is why I said that it is not filtering.</P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Wed, 19 Feb 2014 14:30:37 GMT https://community.cisco.com/t5/network-security/how-would-the-firewall-react/m-p/2426256#M269381 Marius Gunnerud 2014-02-19T14:30:37Z