05-25-2013 12:49 PM - edited 03-11-2019 06:49 PM
I am using an ASA as the default gateway for my network and I need it to to route traffic to other non-ASA gateways located on the inside interface of the box. Seems like hairpinning and tcp bypass is a must have for my setup. It also seems that I need to define the traffic that goes to these other gateways so I can apply the tcp-bypass feature. In my case I will be creating an ACL that matches source subnet of 192.168.0.0/16 to destination subnets 192.168.0.0/16 and then applying it to inside interface of ASA.
My question is, what will happen when inside traffic hits the inside interface and is destined for outside, public IPs? This traffic usually would be taken care of by the global-policy, but this policy has been replaced with the tcp_bypass policy. Furthermore this traffic does not match the acl for the tcp_bypass policy. It seems like this traffic would not have any service-policy applied to it. So I would have inside to outside traffic crossing the ASA with no service-policy applied. Would this work?
Thanks,
Diego
Solved! Go to Solution.
05-26-2013 12:39 PM
Hello Diego,
Why don't you use the default global policy (do you have the default policy the global one)?
class-map tcp_bypass
match access-list acl_TCPbypass
policy-map global_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
class class-default
inspect xxx.
inspect x
inspect x
inspect x
inspect x
With that in place you will be doing the TCP state-bypass for the traffic match with that ACL and then leave the rest of the traffic for the other inspection engines,
Regards
05-25-2013 02:29 PM
Hello Diego,
A policy-map can be composed of several class-maps (the default-one, the one for the tcp_state_bypass,etc.)so you could have more than one, no issue at all,
Now what will happen to the traffic, well it will not go over the inspections defined there but traffic will still flow through the box with no harm,
Just make sure that if somehow you need an inspection for certain traffic (ftp,icmp,SIP) you add a class-map for that traffic,
Regards
05-26-2013 10:49 AM
J:
service-policy doesn't seem to have the permit xx structure found in route-maps that I am familiar with. What would happen to my traffic if I implented the policy as shown below? The idea would be to use tcp bypass for traffic that is being routed internally but apply different policy to traffic destined for outside the firewall.
Rgds,
Diego
access-list acl_TCPbypass extended permit ip object net_priv192 object net_priv192 log disable
!
class-map tcp_bypass
match access-list acl_TCPbypass
!
policy-map my-policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
class class-default
user-statistics accounting
set connection per-client-max 200 per-client-embryonic-max 200
!
service-policy my-policy interface inside
!
05-26-2013 12:39 PM
Hello Diego,
Why don't you use the default global policy (do you have the default policy the global one)?
class-map tcp_bypass
match access-list acl_TCPbypass
policy-map global_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
class class-default
inspect xxx.
inspect x
inspect x
inspect x
inspect x
With that in place you will be doing the TCP state-bypass for the traffic match with that ACL and then leave the rest of the traffic for the other inspection engines,
Regards
05-26-2013 02:28 PM
I was just trying to leave the global policy alone just in case I had to switch back to it for whatever reason. But you are right, I can just tack on my stuff to the global.
Thanks!
05-26-2013 02:36 PM
Glad to help,
Regards
05-26-2013 12:05 AM
Another way to approach your problem: Change your network-design. In my opinion, the users should never use an ASA as a default-gateway (the only exception is the home-office where you'll never have a second gateway). If you place a L3-switch with a transit-link between your users and your ASA, then all these problems you have are gone and it's a more clean and easier design.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
05-26-2013 10:46 AM
Karsten:
I agree it would be nice to do as you suggest but quality L3 switches are quite costly. Thanks for your input.
Rgds,
Diego
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide