Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
0
Helpful
1
Replies

FTP inspection while bypassing TCP State Tracking

Brett Verney
Level 1
Level 1

‎06-17-2013 08:10 PM - edited ‎03-11-2019 06:59 PM

Hi guys,

Due to a complex setup on our Internet Edge network, I require a 'tcp-bypass' class map (bypassing TCP session state tracking) under the Global Policy on an Active/Standby ASA Pair.

However...I now require FTP inspection in order to allow Passive FTP to work for Internet hosted FTP servers.

Although my understanding is that no matter what order the class-maps are configured in, the 'tcp-bypass' class map will be actioned before any application inspection is done. We have an 'inspection_default' class-map configured under the global policy that never gets hit. I have confirmed this by running a 'show service-policy'. When I create a class-map that inspects FTP, under the Global Policy the FTP inspection counter never increases until i disable my 'tcp-bypass' class map. However this breaks a whole bunch of TCP services and I require it left on...

It is also to my understanding that a service-pollicy applied to an interface takes precedence over the ASA's global policy. I have had a play around with configuring FTP class maps for my 'INSIDE' interface with no luck so far (I seem to break these TCP services again).

My question is; what config can I apply (whether its to the existing global policy or my 'INSIDE' interface) in order to inspect FTP while bypassing all other TCP-State tracking?

My current config is below;

access-list tcp-bypass extended permit tcp any any

class-map tcp-bypass

match access-list tcp-bypass

class-map PROXY-STATE-BYPASS

match access-list tcp-bypass

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class tcp-bypass

  set connection advanced-options tcp-state-bypass

class class-default

  user-statistics accounting

Much appreciated!

Brett

Labels:
0 Helpful
1 Reply 1

Brett Verney
Level 1
Level 1

‎06-19-2013 12:20 AM

OK so I figured this one out...

I couldn't find any possible way to allow application inspection on an interface, then except the the global_policy to bpyass TCP state tracking for all other protocols. As soon as I applied a servce-policy to an interface it no longer looked at the global_policy and started tracking the TCP state (for protocols other than FTP in my example).

All I had to do was add a line to the 'tcp-bypass' ACL to deny the bypassing of state tracking for FTP, but allowing it for all other protocols.

Now... FTP is not matched in the in the class-map and FINALLY inspected via the 'inspection_default' class-map within the global_policy.

Config change was;

no access-list tcp-bypass extended permit tcp any any

!

access-list tcp-bypass extended deny tcp any any eq ftp

access-list tcp-bypass extended permit tcp any any

If I ever need inspection on other applications in the future, I will deny them from the 'tcp-bypass' class map by adding them to the access-list above, just like I have FTP.

Brett

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card