topic ASA SYN ACK missing related with a firewall inside a DMZ of another ASA in Network Security

ASA SYN ACK missing related with a firewall inside a DMZ of another ASA

albertocolosi — Mon, 11 Mar 2019 23:44:47 GMT

Hi I have two control point, two firewall

the second one is linked inside one DMZ from the first firewall

route is good and inside the DMZ from first firewall I have servers too

so to be more clear we could call as IP for the DMZ from first firewall, Interface IP 1.1.1.1 that generate this DMZ with first firewall (netmask 255.255.0.0)

inside the DMZ I have an interface from second firewall with IP 1.1.1.5 and inside DMZ 1.1/16 I have servers too

keep one test server with IP 1.1.1.3

The LAN passing the second firewall is 2.2.2.1 ever 16 bits of netmask (255.255.0.0)

inside the DMZ generated from second firewall I have a machine with IP 2.2.2.9 that need to access in TCP services on machine 1.1.1.3

running the test I have this scenario:

TCP packets from 2.2.2.9 pass the second firewall and arrive inside DMZ with net 1.1/16 and arrive to server with IP 1.1.1.3

defaul gateway (to answer to originating machine with IP 2.2.2.9) is 1.1.1.1

ASA interface 1.1.1.1 claim a missing related as it haven't mapped the connection that has passed on first firewall. I need only that 1.1.1.1 route packets to second firewall (who own net 2.2/16) avoiding to be trappen in missing related check

at start it was working! around 1 year ago we upgraded IOS to 8.4 and ever so late (one year) doing maintenance to a machine I discovered it was no longer talking with these server on net 1.1/16

I have found on cisco docs chapter 51 and TCP State Bypass ............ is this the only answer and the right answer?

before was working, is something that has changed inside ASA IOS 8.4 ?

HTML version of TCP State Bypass I found that should, could solve my issue is:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Any other info or solutions? is that what I have to configure so to solve? and before was working why no more?

thanks

ASA SYN ACK missing related with a firewall inside a DMZ of anot

mwinnett — Tue, 28 Aug 2012 12:52:15 GMT

Alberto, the easier thing would be to add a static route to server 10.2.2.10 defining 10.3.0.0/16 as being via 10.2.2.100 (ie: start -> run -> cmd -> route add 10.3.0.0 mask 255.255.0.0 10.2.2.100). A better solution would be to make the network between the 2 firewalls to be a point to point link with no devices on that subnet. This depends on having enough interfaces or using sub-interfaces. You should try and avoid static bypass if possible. Matthew

ASA SYN ACK missing related with a firewall inside a DMZ of anot

Julio Carvajal — Tue, 28 Aug 2012 19:06:10 GMT

Hello All,

Another option not the easy one is to use the proxy arp feature and the ASA.

As you know this is a routing problem so what you could do is to NAT the 10.2/16 to a phantom subnet that the internal ASA does not know how to get to so he will always need to send the traffic to the primary ASA This will also solve the routing problem.. Of course now the hosts at 10.1/16 will need to talk to the phantom subnet insted of the 10.2

Remember to rate all the helpful posts

Julio