cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1055
Views
0
Helpful
5
Replies

FWSM - Connection goes through the same interface

Hello everybody

I have a problem where I have a network that passes fwsm to connect to another network where this other network has a route back to the same input interface.

Look the attached image

Server NY needs to connect in Server MD, I did the configuration conform describe in the box but i can't doing ping ou telnet in the Server MD.

I monitored the connection using tcpdump in the Server VPN to see that something arrive there but nothing.

I saw in the FWMS the access-list and not have them match.

Does anyone have any idea how I can solve this problem?

Thank you!

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

It won't work because there will be asymmetric routing and the FWSM will drop the session.

Here is the traffic flow as per your network:

1) From Server MD to Server NY: Server MD --> VPN server --> directly to Server NY because they are in the same subnet 10.1.51.x

2) From Server NY to Server MD: Server NY --> default gateway FWSM DMZ interface (because FWSM does not see the first packet, it will drop the session).

Hence it does not work in your testing.

The easiest to resolve this issue is to configure static route on Server NY for Server MD ip address to point towards the VPN server instead of using its default gateway FWSM DMZ interface.

So on Server NY: route 192.168.10.10 255.255.255.255 10.1.51.10

Jennifer,

Thanks for answer.

I thought it was possible the same as linux where I release through FORWARD.

It really does not have the FWSM correct?

Because I have many servers on the side of NY, more than 150. To put local route on each server would not be very suitable agree?

You can configure: same-security-traffic permit intra-interface

As well as configuring TCP state bypass, but pls kindly be advised that it really defeats the purpose of having a firewall (FWSM) in place if you configure it to bypass the TCP state as it could have been an attack and the FWSM will not detect that because you have configured it to do so. However, this will resolve your problem.

Here is more information on TCP state bypass and how to configure it:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/command/reference/s1.html#wp2737794


Thank you again!

The configuration would be as follows:

access-list DMZ-INT extended permit tcp host 10.1.51.20 host 192.168.10.10

class-map tcp_bypass

   description "TCP traffic that bypasses stateful firewall"

   match access-list DMZ-INT

policy-map tcp_bypass_policy

class tcp_bypass

   set connection advanced-options tcp-state-bypass

      service-policy tcp_bypass_policy outside

This is correct?

You should also add the following ACL:

access-list DMZ-INT extended permit tcp host 192.168.10.10 host 10.1.51.20

And also the service policy should be applied to your DMZ-INT as follows:

service-policy tcp_bypass_policy DMZ-INT

And remember: same-security-traffic permit intra-interface

Review Cisco Networking for a $25 gift card