Re: Can ASA do this?

cciesec2011 · ‎02-19-2011

I am in the process of converting a customer firewall from Checkpoint over to Cisco ASA

and I am encountering this issue I am not sure if the ASA can solve this issue. The ASA

was sold to the customer by a VAR and that their engineer told the customer that this can

be done but I am not so sure.

No NAT on the firewall. Everything is routed. I have "permit ip any any log" on all interfaces

The checkpoint firewall has three interfaces, external (eth2), dmz1 (eth0) and dmz2 (eth1).

IP address is as follows:

eth2: 1.1.2.254/24 --- becomes outside on ASA

eth0: 1.1.0.254./24 --- becomes inside on ASA

eth1: 1.1.1.254/24 --- becomes dmz on ASA

There is a Linux host, X, behind the firewall with two NICs, eth0 and eth1. eth0 is connected to the dmz1

and eth1 is connected to dmz2. The default gateway of host X is 1.1.0.254 (dmz1). IP address of host

X is eth0: 1.1.0.1/24, eth1: 1.1.1.1/24.

Currently users on the Internet can access either IP address of 1.1.0.1 or 1.1.1.1 of host X

without any issues if the firewall is Checkpoint. If I replace the Checkpoint firewall with ASA, access

to host X via IP address 1.1.1.1 is no longer available. Only access to host X via IP address 1.1.0.1 is still

available. I also have "permit ip any any log" on outside, inside and dmz interface of the ASA

Take out the ASA and put the checkpoint firewall back in, access to both 1.1.0.1 and 1.1.1.1 is ok again.

Can ASA do this? Btw, ASA version is 8.2(1)

Maykol Rojas · ‎02-19-2011

Hi,

The only way I can see this possible would be with TCP state bypass and it would only work for TCP traffic.This is a huge security breach, since the ASA wont be inspecting the traffic over the layer4...

You would be converting your ASA into a router with ACL's.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Cheers

Mike

cciesec2011 · ‎02-19-2011

1- The example you provided showed two ASAs. Therefore, will this example work on a single ASA with dual interfaces on the internal?

2- While this may be a huge security risk, this is not an issue with Checkpoint firewall since host X interfaces are connected to the same Checkpoint

firewall and because Checkpoint has no concept of security level on the interface, it can handle asymetric route where as the ASA can not.

I guess you're telling me is that it is not possible with this setup for the ASA, correct?

Thanks in advance.

Maykol Rojas · ‎02-19-2011

Hi,

The security levels dont have anything to do with the asymmetric routing... the problem that the ASA cannot handle it is because he gets lost on the TCP sequence number... therefore, anyone who can guess the next sequence number can introduce a packet and by that doing an attack.....

That what I sent you is just an example of how to work with asymmetric routing, you can use it on your example as well.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#asym

Let me know if you need help with this.

Mike

cciesec2011 · ‎02-19-2011

"the problem that the ASA cannot handle it is because he gets lost on the TCP sequence number."

You can disable TCP sequence number randomization on the ASA and that will solve this issue right?

The example you sent me "http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml" has to do with two ASA and based on what I am reading, it does not apply to my situation. Think about it in my scenario:

a host on the internet 5.5.5.5 tries to access ip address 1.1.1.1. The SYN connection will go from outside interface of the ASAto the dmz interface of the ASA and to the host X on interface eth1. The host X then replies with the SYN-ACK from eth1 but the traffics will leave interface eth0 of host X and enter inside interface of the ASA. Now because the ASA keeps track of the connection table, it will not allow the SYN-ACK from entering the inside interface thus the connection will be dropped by the ASA.

The link you provided above "http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml", because traffics come in from one ASA and leave another ASA, there is no connection table to keep track therefore the TCP bypass may work but not in my scenario.

That's why when I say it does not work in the ASA is because of the security level interface. Traffic flow comes in outside interface, leave inside interface must comes back into the inside and leaving outside interface or it will not work. Checkpoint firewall does not have this issue because it has no concept of security level interface. Checkpoint firewall is nothing but a routing device with security policy.

Maykol Rojas · ‎02-21-2011

Hi,

You are totally right. This wont work, the bypass only will work for the same interface only. I did this on a lab and he will have a Routing failed to locate next hop when he gets the SYN-ACK packet on the interface which has the default gateway. He builds the second local host with the real IP on the second interface and the connection will be build with the Bypass flah, however, he will have problems trying to route the packet once it is up.

Hope this clarifies your queries.

Thanks!

Mike

cciesec2011 · ‎02-21-2011

From what I am seeing so far, this limitation is not only limited to the ASA but only to the ACE as well. It seems like both the ASA and the ACE use very similar code. The ACE behaves exactly the same way as the ASA in my scenario.

Maykol Rojas · ‎02-21-2011

Hi,

Yeah, thanks for bringing this up. I hope we clear this doubt for many people.

Thanks for sharing.

Mike

cciesec2011 · ‎02-21-2011

Cisco IOS does not suffer from this issue.