topic Question behavior ASA in Network Security

Question behavior ASA

r-barbosa — Fri, 21 Feb 2020 11:37:10 GMT

Hello all,

I have a question in a test environment, mount the topology as the attached file, and inserting the wing route to 172.16.2.0/24 via 192.168.0.10 network the ping command works, but any protocol that is oriented to connect does not work. Monitors with the debug command and noticed that the package leaves the station with IP address 192.168.1.3 to the ip address 172.16.2.2 successfully, the packet with SYN flag arrives, and when the 172.16.2.2 server responds with the ACK flag returns without problems. But when the station with IP address 192.168.1.3 returns the packet with flag SYN/ACK the Cisco ASA receives a package and as the ACK not returned by the ASA cisco asa result seems to lose the package and execute a teardown and the connection is not complete. I believe this is because the cisco asa can understand this behavior as an atack main-in-the-middle. Is there a way to disable that check in cisco ASA. I ask that the level of knowledge, because this scenario will not be used.

Regards.

Re: Question behavior ASA

Kevin Redmon — Sat, 08 Aug 2009 03:28:04 GMT

The ASA firewall is a stateful firewall and therefore needs to see every packet of a connection. The connection entry on the ASA is populated upon receipt of the SYN packet. On the ASAs, this is likely going to be seen as a 'Deny TCP (no connection)' syslog message.

In ASA version 8.2, the TCP State Bypass feature was implemented. This feature removes all security checks for the traffic - performing very similarly to access-list entry on a Router.

Re: Question behavior ASA

r-barbosa — Mon, 10 Aug 2009 11:40:42 GMT

Hi kredmon, thanks for responding.

you said that the bypass feature was implemented in version 8.2, but I'm using version 8.4, and there is a acl inside the "permit ip any any". Not necessarily be just that?

Thank you.

Re: Question behavior ASA

Kevin Redmon — Mon, 10 Aug 2009 11:54:53 GMT

8.4 is not a valid ASA version. You may be running 8.0(4). This TCP State Bypass feature is available after 8.2(1) or after.

'permit ip any any' simply states that all UDP and TCP connections are permitted. However, the ASA will still inspect both connections for state and other security checks. In the case of TCP, the first packet MUST be a SYN. Otherwise, without the SYN, we should never see a SYN-ACK. A syslog message, 'Deny TCP (no connection)', would result if we saw the SYN-ACK without the SYN packet.

Best Regards,

Kevin

Re: Question behavior ASA

r-barbosa — Mon, 10 Aug 2009 15:02:49 GMT

Hi kevin,

Even defining the "permit ip any any" and as you said it will disable the firewall statfull. How to turn off the firewall statfull or enabling bypass?

Regards

Re: Question behavior ASA

r-barbosa — Mon, 10 Aug 2009 17:34:21 GMT

Hi kevin

i execute the following commands and work. thanks kevin

!----------------------------------

access-list tcp_bypass extended permit ip 192.168.0.0 255.255.0.0 172.16.2.0 255.255.255.0

class-map tcp_bypass

match access-list tcp_bypass

policy-map tcp_bypass_policy

class tcp_bypass

set connection advanced-options tcp-state-bypass

service-policy tcp_bypass_policy interface inside

!-----------------------------

Regards.

Re: Question behavior ASA

Kevin Redmon — Fri, 14 Aug 2009 01:47:03 GMT

You may also be facing a translation issue. Please be sure that you have translations defined for the traffic. For instance, a 'nat (inside) 0' with an access-list defining both the 192.168.0.0/16 to 172.16.2.0/24 networks. You will also need a 'same-security-traffic permit intra-interface'.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1392814

If you still experience issues, please gather the debug level syslogs ('logging buffered debug').