Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
902
Views
0
Helpful
5
Replies

FWSM - Connection goes through the same interface

Anderson Ribeiro
Level 1
Level 1

‎07-18-2012 05:40 AM - edited ‎03-11-2019 04:32 PM

Hello everybody

I have a problem where I have a network that passes fwsm to connect to another network where this other network has a route back to the same input interface.

Look the attached image

Server NY needs to connect in Server MD, I did the configuration conform describe in the box but i can't doing ping ou telnet in the Server MD.

I monitored the connection using tcpdump in the Server VPN to see that something arrive there but nothing.

I saw in the FWMS the access-list and not have them match.

Does anyone have any idea how I can solve this problem?

Thank you!

Labels:
Preview file
112 KB
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-18-2012 07:48 AM

It won't work because there will be asymmetric routing and the FWSM will drop the session.

Here is the traffic flow as per your network:

1) From Server MD to Server NY: Server MD --> VPN server --> directly to Server NY because they are in the same subnet 10.1.51.x

2) From Server NY to Server MD: Server NY --> default gateway FWSM DMZ interface (because FWSM does not see the first packet, it will drop the session).

Hence it does not work in your testing.

The easiest to resolve this issue is to configure static route on Server NY for Server MD ip address to point towards the VPN server instead of using its default gateway FWSM DMZ interface.

So on Server NY: route 192.168.10.10 255.255.255.255 10.1.51.10

0 Helpful

Anderson Ribeiro
Level 1
Level 1
In response to Jennifer Halim

‎07-18-2012 08:16 AM

Jennifer,

Thanks for answer.

I thought it was possible the same as linux where I release through FORWARD.

It really does not have the FWSM correct?

Because I have many servers on the side of NY, more than 150. To put local route on each server would not be very suitable agree?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Anderson Ribeiro

‎07-18-2012 08:20 AM

You can configure: same-security-traffic permit intra-interface

As well as configuring TCP state bypass, but pls kindly be advised that it really defeats the purpose of having a firewall (FWSM) in place if you configure it to bypass the TCP state as it could have been an attack and the FWSM will not detect that because you have configured it to do so. However, this will resolve your problem.

Here is more information on TCP state bypass and how to configure it:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/command/reference/s1.html#wp2737794

0 Helpful

Anderson Ribeiro
Level 1
Level 1
In response to Jennifer Halim

‎07-18-2012 09:53 AM


Thank you again!

The configuration would be as follows:

access-list DMZ-INT extended permit tcp host 10.1.51.20 host 192.168.10.10

class-map tcp_bypass

   description "TCP traffic that bypasses stateful firewall"

   match access-list DMZ-INT

policy-map tcp_bypass_policy

class tcp_bypass

   set connection advanced-options tcp-state-bypass

      service-policy tcp_bypass_policy outside

This is correct?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Anderson Ribeiro

‎07-18-2012 09:57 AM

You should also add the following ACL:

access-list DMZ-INT extended permit tcp host 192.168.10.10 host 10.1.51.20

And also the service policy should be applied to your DMZ-INT as follows:

service-policy tcp_bypass_policy DMZ-INT

And remember: same-security-traffic permit intra-interface

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card