cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
651
Views
0
Helpful
5
Replies

Help with Global Service Policies on ASA 8.6

Brett Verney
Level 1
Level 1

Hi all,

I just started a new role looking after a Network where not too long before I started had a complete Internet Edge redesign. It seems that FTP transactions destined to the Internet haven't been working since the changes.

Until yesterday I had no idea about the history of FTP and why it needs special attention. i.e. 'Active' mode won't work with NAT and 'Passive' mode requires addtional ports to be opened on random high port numbers, and, without 'FTP inspection' enabled via a service policy, requires those 'random' port numbers to be opened outbound on the Firewall.

Long story short I found a 'tcp-bypass' class map located under the global policy which seemed to be bypassing the state tracking for ALL TCP. When I remove this class map from the global policy, FTP works!! I suspect this is due to the global policy using the class 'inspection_default' where FTP is being inspected and allowing the FTP client to connect to the server on those random port numbers that it requires. However I have no idea if removing the -tcp-bypass' class map is breaking any other TCP sessions, or why it was implemented in the first place.

Correct me if I'm wrong (because a lot of this is new to me), but shouldn't the global policy match and action the 'inspection_default' map before it processes the 'tcp-bypass' map?

My config is below...

class-map tcp-bypass

match access-list tcp-bypass

class-map PROXY-STATE-BYPASS

match access-list tcp-bypass

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class tcp-bypass

  set connection advanced-options tcp-state-bypass

class class-default

  user-statistics accounting

policy-map PROXY-STATE-BYPASS-PMAP

class PROXY-STATE-BYPASS

  set connection advanced-options tcp-state-bypass

!

service-policy global_policy global

Any help/advice would be greatly appreciated!!

Brett

ps. There are no service policies applied to any of the ASA's interfaces.

1 Accepted Solution

Accepted Solutions

Hello Brett,

After taking some time to think about the basics I remembered something:

A specific traffic flow can match more than one class-map and then actions will be applied to the flow as configured (more than one as the features are different)

For example u can inspect your FTP traffic on a class-map FTP and then on a class-map called Police you could police that same traffic,

Do u follow me till here?

Now there is an order of operations for the different features:

QoS input Policing

TCP normalization and changes to the security algorithm (TCP state bypass goes here)

CSC if being used

Application inspection (the FTP one)

ETC

So in our case .bump we are matching the second rule even though the FTP inspection is before

Regards,

Julio

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Brett,

What the TCP bypass looks for is basically let the ASA know " We are not going to be as restrictive as we were with TCP sessions before, if we dont follow the 3 way hanshake as an example we will not care". So you are basically removing some security checks right there if u use it,

Why would u use it?

You have assymetric routing on ur network, your applications are not behaving as an RFC compliance application for certain protocol, etc.

Now, the check will be done just like an ACL( from top to bottom )and as long as there is a match, we will apply the action without looking any further.

In this case if you are using regular FTP ports to connect u should be hitting the regular inspection over the class inspection_default.

Regards,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

See that's my point exactly. When do a 'show service-policy global' I don't see any hits on the 'Inspect: ftp' rule (under the inspection_default class-map) which is above the 'tcp-bypass' class-map, and.... FTP doesn't work. If I remove the 'tcp-bypass' class-map, FTP works.

My understanding (just like you said) was the rules at the top of the policy should get matched and actioned first; which in this case obviously isn't.

ALTHOUGH... using the ASDM, even though the 'tcp-bypass' rule is listed after the 'inspection_default' rule, the 'tcp-bypass' rule has a #1 next to it, where as the other class-maps do no thave a number next to it and I can't see anywhere where I could enter a sequence number under the 'inspection_default' rule...

Brett

Hello Brett,

After taking some time to think about the basics I remembered something:

A specific traffic flow can match more than one class-map and then actions will be applied to the flow as configured (more than one as the features are different)

For example u can inspect your FTP traffic on a class-map FTP and then on a class-map called Police you could police that same traffic,

Do u follow me till here?

Now there is an order of operations for the different features:

QoS input Policing

TCP normalization and changes to the security algorithm (TCP state bypass goes here)

CSC if being used

Application inspection (the FTP one)

ETC

So in our case .bump we are matching the second rule even though the FTP inspection is before

Regards,

Julio

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks Julio,

That helps me out alot. I will be bookmarking this post while I do a little research on the subject

I appreciate your time!

Best Regards,

Brett

Hello Brett,

My pleasure to help,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card