We have kind of a strange situation going on. We have a web server hosted in a DMZ located off our DMZ interface on our ASA. This web server has two NICs one of which is in a management vlan connected directly to our core switch bypassing the ASA the other is in the DMZ segment of our network. The issues is our users cannot access the website hosted on this server when they are connected to guest wifi. We believe this is due to some asymmetric routing on the web server where the traffic is returning on a different interface on the ASA from where it was originally received.
Please see attachment for a crude network diagram illustrating the traffic flow.
The easiest solution would be to put a host route on the web server pointing this traffic back through the ASA but the vendor who manages this web server has been extremely difficult to work with.
I was wondering if anyone had a similar situation and how they resolved it.
Unfortunately if the web server is not returning the traffic via the same NIC it left on it will indeed cause asymmetric routing and the firewall will deny the flow.
As a stateful firewall it will not allow the 3-way handshake to complete since the ACK will return via a different path than that which the SYN arrived.
The vendor really needs to put the one line in their routing table to fix this. (Or you could be petty and break their management connection. :) )
Thanks for your response, if it was my network i would :). Unfortunately, we only manage the firewall and a few switches for this customer. The vendor was adamant when i spoke with them last about it not being an issue on their side and was quite difficult to work with. Its been a frustrating experience. I've been considering tcp state bypass but I don't have any experience with it and I'm not entirely sure if it will resolve the issue. Another option i've been thinking about is possibly some interesting NAT like below. Although I'm not sure if this will work either.
object network obj-192.168.1.0 #guest wifi segment
object network obj-10.0.10.3 #DMZ address of web server
object network obj-10.100.0.10 #inside IP of web server
nat (Guest_Wifi,Inside) source static obj-192.168.1.0 obj-192.168.1.0 destination static
I hear you. I usually try presenting the recalcitrant party with a packet capture. Sometimes hard data will cause them to change their tune.
What you're suggesting as a work around might work. Personally, I try to avoid things like tcp state bypass and NAT tricks unless it's an absolute last resort.