06-17-2013 08:10 PM - edited 03-11-2019 06:59 PM
Hi guys,
Due to a complex setup on our Internet Edge network, I require a 'tcp-bypass' class map (bypassing TCP session state tracking) under the Global Policy on an Active/Standby ASA Pair.
However...I now require FTP inspection in order to allow Passive FTP to work for Internet hosted FTP servers.
Although my understanding is that no matter what order the class-maps are configured in, the 'tcp-bypass' class map will be actioned before any application inspection is done. We have an 'inspection_default' class-map configured under the global policy that never gets hit. I have confirmed this by running a 'show service-policy'. When I create a class-map that inspects FTP, under the Global Policy the FTP inspection counter never increases until i disable my 'tcp-bypass' class map. However this breaks a whole bunch of TCP services and I require it left on...
It is also to my understanding that a service-pollicy applied to an interface takes precedence over the ASA's global policy. I have had a play around with configuring FTP class maps for my 'INSIDE' interface with no luck so far (I seem to break these TCP services again).
My question is; what config can I apply (whether its to the existing global policy or my 'INSIDE' interface) in order to inspect FTP while bypassing all other TCP-State tracking?
My current config is below;
access-list tcp-bypass extended permit tcp any any
class-map tcp-bypass
match access-list tcp-bypass
class-map PROXY-STATE-BYPASS
match access-list tcp-bypass
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class tcp-bypass
set connection advanced-options tcp-state-bypass
class class-default
user-statistics accounting
Much appreciated!
Brett
06-19-2013 12:20 AM
OK so I figured this one out...
I couldn't find any possible way to allow application inspection on an interface, then except the the global_policy to bpyass TCP state tracking for all other protocols. As soon as I applied a servce-policy to an interface it no longer looked at the global_policy and started tracking the TCP state (for protocols other than FTP in my example).
All I had to do was add a line to the 'tcp-bypass' ACL to deny the bypassing of state tracking for FTP, but allowing it for all other protocols.
Now... FTP is not matched in the in the class-map and FINALLY inspected via the 'inspection_default' class-map within the global_policy.
Config change was;
no access-list tcp-bypass extended permit tcp any any
!
access-list tcp-bypass extended deny tcp any any eq ftp
access-list tcp-bypass extended permit tcp any any
If I ever need inspection on other applications in the future, I will deny them from the 'tcp-bypass' class map by adding them to the access-list above, just like I have FTP.
Brett
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide