topic hairpinning, tcp bypass and service policy questions in Network Security

hairpinning, tcp bypass and service policy questions

tato386 — Tue, 12 Mar 2019 01:49:13 GMT

I am using an ASA as the default gateway for my network and I need it to to route traffic to other non-ASA gateways located on the inside interface of the box. Seems like hairpinning and tcp bypass is a must have for my setup. It also seems that I need to define the traffic that goes to these other gateways so I can apply the tcp-bypass feature. In my case I will be creating an ACL that matches source subnet of 192.168.0.0/16 to destination subnets 192.168.0.0/16 and then applying it to inside interface of ASA.

My question is, what will happen when inside traffic hits the inside interface and is destined for outside, public IPs? This traffic usually would be taken care of by the global-policy, but this policy has been replaced with the tcp_bypass policy. Furthermore this traffic does not match the acl for the tcp_bypass policy. It seems like this traffic would not have any service-policy applied to it. So I would have inside to outside traffic crossing the ASA with no service-policy applied. Would this work?

Thanks,
Diego

hairpinning, tcp bypass and service policy questions

Julio Carvajal — Sat, 25 May 2013 21:29:32 GMT

Hello Diego,

A policy-map can be composed of several class-maps (the default-one, the one for the tcp_state_bypass,etc.)so you could have more than one, no issue at all,

Now what will happen to the traffic, well it will not go over the inspections defined there but traffic will still flow through the box with no harm,

Just make sure that if somehow you need an inspection for certain traffic (ftp,icmp,SIP) you add a class-map for that traffic,

Regards

hairpinning, tcp bypass and service policy questions

Karsten Iwen — Sun, 26 May 2013 07:05:36 GMT

Another way to approach your problem: Change your network-design. In my opinion, the users should never use an ASA as a default-gateway (the only exception is the home-office where you'll never have a second gateway). If you place a L3-switch with a transit-link between your users and your ASA, then all these problems you have are gone and it's a more clean and easier design.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

hairpinning, tcp bypass and service policy questions

tato386 — Sun, 26 May 2013 17:46:15 GMT

Karsten:

I agree it would be nice to do as you suggest but quality L3 switches are quite costly. Thanks for your input.

Rgds,

Diego

hairpinning, tcp bypass and service policy questions

tato386 — Sun, 26 May 2013 17:49:37 GMT

service-policy doesn't seem to have the permit xx structure found in route-maps that I am familiar with. What would happen to my traffic if I implented the policy as shown below? The idea would be to use tcp bypass for traffic that is being routed internally but apply different policy to traffic destined for outside the firewall.

Rgds,

Diego

access-list acl_TCPbypass extended permit ip object net_priv192 object net_priv192 log disable

class-map tcp_bypass

match access-list acl_TCPbypass

policy-map my-policy

class tcp_bypass

set connection advanced-options tcp-state-bypass

class class-default

user-statistics accounting

set connection per-client-max 200 per-client-embryonic-max 200

service-policy my-policy interface inside

hairpinning, tcp bypass and service policy questions

Julio Carvajal — Sun, 26 May 2013 19:39:00 GMT

Hello Diego,

Why don't you use the default global policy (do you have the default policy the global one)?

class-map tcp_bypass

match access-list acl_TCPbypass

policy-map global_policy

class tcp_bypass

set connection advanced-options tcp-state-bypass

class class-default

inspect xxx.

inspect x

With that in place you will be doing the TCP state-bypass for the traffic match with that ACL and then leave the rest of the traffic for the other inspection engines,

Regards

hairpinning, tcp bypass and service policy questions

tato386 — Sun, 26 May 2013 21:28:20 GMT

I was just trying to leave the global policy alone just in case I had to switch back to it for whatever reason. But you are right, I can just tack on my stuff to the global.

Thanks!

hairpinning, tcp bypass and service policy questions

Julio Carvajal — Sun, 26 May 2013 21:36:49 GMT

Glad to help,

Regards