Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
10
Helpful
7
Replies

hairpinning, tcp bypass and service policy questions

Go to solution
tato386
Level 6
Level 6

‎05-25-2013 12:49 PM - edited ‎03-11-2019 06:49 PM

I am using an ASA as the default gateway for my network and I need it to to route traffic to other non-ASA gateways located on the inside interface of the box.  Seems like hairpinning and tcp bypass is a must have for my setup.  It also seems that I need to define the traffic that goes to these other gateways so I  can apply the tcp-bypass feature.  In my case I will be creating an ACL that matches source subnet of 192.168.0.0/16 to destination subnets 192.168.0.0/16 and then applying it to inside interface of ASA.

My question is, what will happen when inside traffic hits the inside interface and is destined for outside, public IPs?  This traffic usually would be taken care of by the global-policy, but this policy has been replaced with the tcp_bypass policy. Furthermore this traffic does not match the acl for the tcp_bypass policy. It seems like this traffic would not have any service-policy applied to it.  So I would have inside to outside traffic crossing the ASA with no service-policy applied.  Would this work?

Thanks,
Diego

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to tato386

‎05-26-2013 12:39 PM

Hello Diego,

Why don't you use the default global policy (do you have the default policy the global one)?

class-map tcp_bypass

match access-list acl_TCPbypass

policy-map global_policy

class tcp_bypass

  set connection advanced-options tcp-state-bypass

class class-default

inspect xxx.

inspect x 

inspect x

inspect x

inspect x

With that in place you will be doing the TCP state-bypass for the traffic match with that ACL and then leave the rest of the traffic for the other inspection engines,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎05-25-2013 02:29 PM

Hello Diego,

A policy-map can be composed of several class-maps (the default-one, the one for the tcp_state_bypass,etc.)so you could have more than one, no issue at all,

Now what will happen to the traffic, well it will not go over the inspections defined there but traffic will still flow through the box with no harm,

Just make sure that if somehow you need an inspection for certain traffic (ftp,icmp,SIP) you add a class-map for that traffic,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
tato386
Level 6
Level 6
In response to Julio Carvajal

‎05-26-2013 10:49 AM

J:

service-policy doesn't seem to have the permit xx structure found in route-maps that I am familiar with.  What would happen to my traffic if I implented the policy as shown below?  The idea would be to use tcp bypass for traffic that is being routed internally but apply different policy to traffic destined for outside the firewall.

Rgds,

Diego

access-list acl_TCPbypass extended permit ip object net_priv192 object net_priv192 log disable

!

class-map tcp_bypass

match access-list acl_TCPbypass

!

policy-map my-policy

class tcp_bypass

  set connection advanced-options tcp-state-bypass

class class-default

  user-statistics accounting

  set connection per-client-max 200 per-client-embryonic-max 200

!

service-policy my-policy interface inside

!

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to tato386

‎05-26-2013 12:39 PM

Hello Diego,

Why don't you use the default global policy (do you have the default policy the global one)?

class-map tcp_bypass

match access-list acl_TCPbypass

policy-map global_policy

class tcp_bypass

  set connection advanced-options tcp-state-bypass

class class-default

inspect xxx.

inspect x 

inspect x

inspect x

inspect x

With that in place you will be doing the TCP state-bypass for the traffic match with that ACL and then leave the rest of the traffic for the other inspection engines,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
tato386
Level 6
Level 6
In response to Julio Carvajal

‎05-26-2013 02:28 PM

I was just trying to leave the global policy alone just in case I had to switch back to it for whatever reason.  But you are right, I can just tack on my stuff to the global.

Thanks!

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to tato386

‎05-26-2013 02:36 PM

Glad to help,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎05-26-2013 12:05 AM

Another way to approach your problem: Change your network-design. In my opinion, the users should never use an ASA as a default-gateway (the only exception is the home-office where you'll never have a second gateway). If you place a L3-switch with a transit-link between your users and your ASA, then all these problems you have are gone and it's a more clean and easier design.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Go to solution
tato386
Level 6
Level 6
In response to Karsten Iwen

‎05-26-2013 10:46 AM

Karsten:

I agree it would be nice to do as you suggest but quality L3 switches are quite costly.  Thanks for your input.

Rgds,

Diego

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card