07-18-2012 05:40 AM - edited 03-11-2019 04:32 PM
Hello everybody
I have a problem where I have a network that passes fwsm to connect to another network where this other network has a route back to the same input interface.
Look the attached image
Server NY needs to connect in Server MD, I did the configuration conform describe in the box but i can't doing ping ou telnet in the Server MD.
I monitored the connection using tcpdump in the Server VPN to see that something arrive there but nothing.
I saw in the FWMS the access-list and not have them match.
Does anyone have any idea how I can solve this problem?
Thank you!
07-18-2012 07:48 AM
It won't work because there will be asymmetric routing and the FWSM will drop the session.
Here is the traffic flow as per your network:
1) From Server MD to Server NY: Server MD --> VPN server --> directly to Server NY because they are in the same subnet 10.1.51.x
2) From Server NY to Server MD: Server NY --> default gateway FWSM DMZ interface (because FWSM does not see the first packet, it will drop the session).
Hence it does not work in your testing.
The easiest to resolve this issue is to configure static route on Server NY for Server MD ip address to point towards the VPN server instead of using its default gateway FWSM DMZ interface.
So on Server NY: route 192.168.10.10 255.255.255.255 10.1.51.10
07-18-2012 08:16 AM
Jennifer,
Thanks for answer.
I thought it was possible the same as linux where I release through FORWARD.
It really does not have the FWSM correct?
Because I have many servers on the side of NY, more than 150. To put local route on each server would not be very suitable agree?
07-18-2012 08:20 AM
You can configure: same-security-traffic permit intra-interface
As well as configuring TCP state bypass, but pls kindly be advised that it really defeats the purpose of having a firewall (FWSM) in place if you configure it to bypass the TCP state as it could have been an attack and the FWSM will not detect that because you have configured it to do so. However, this will resolve your problem.
Here is more information on TCP state bypass and how to configure it:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/command/reference/s1.html#wp2737794
07-18-2012 09:53 AM
Thank you again!
The configuration would be as follows:
access-list DMZ-INT extended permit tcp host 10.1.51.20 host 192.168.10.10
class-map tcp_bypass
description "TCP traffic that bypasses stateful firewall"
match access-list DMZ-INT
policy-map tcp_bypass_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
service-policy tcp_bypass_policy outside
This is correct?
07-18-2012 09:57 AM
You should also add the following ACL:
access-list DMZ-INT extended permit tcp host 192.168.10.10 host 10.1.51.20
And also the service policy should be applied to your DMZ-INT as follows:
service-policy tcp_bypass_policy DMZ-INT
And remember: same-security-traffic permit intra-interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide