06-13-2013 05:49 PM - edited 03-11-2019 06:57 PM
Hi all,
I just started a new role looking after a Network where not too long before I started had a complete Internet Edge redesign. It seems that FTP transactions destined to the Internet haven't been working since the changes.
Until yesterday I had no idea about the history of FTP and why it needs special attention. i.e. 'Active' mode won't work with NAT and 'Passive' mode requires addtional ports to be opened on random high port numbers, and, without 'FTP inspection' enabled via a service policy, requires those 'random' port numbers to be opened outbound on the Firewall.
Long story short I found a 'tcp-bypass' class map located under the global policy which seemed to be bypassing the state tracking for ALL TCP. When I remove this class map from the global policy, FTP works!! I suspect this is due to the global policy using the class 'inspection_default' where FTP is being inspected and allowing the FTP client to connect to the server on those random port numbers that it requires. However I have no idea if removing the -tcp-bypass' class map is breaking any other TCP sessions, or why it was implemented in the first place.
Correct me if I'm wrong (because a lot of this is new to me), but shouldn't the global policy match and action the 'inspection_default' map before it processes the 'tcp-bypass' map?
My config is below...
class-map tcp-bypass
match access-list tcp-bypass
class-map PROXY-STATE-BYPASS
match access-list tcp-bypass
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class tcp-bypass
set connection advanced-options tcp-state-bypass
class class-default
user-statistics accounting
policy-map PROXY-STATE-BYPASS-PMAP
class PROXY-STATE-BYPASS
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
Any help/advice would be greatly appreciated!!
Brett
ps. There are no service policies applied to any of the ASA's interfaces.
Solved! Go to Solution.
06-13-2013 10:06 PM
Hello Brett,
After taking some time to think about the basics I remembered something:
A specific traffic flow can match more than one class-map and then actions will be applied to the flow as configured (more than one as the features are different)
For example u can inspect your FTP traffic on a class-map FTP and then on a class-map called Police you could police that same traffic,
Do u follow me till here?
Now there is an order of operations for the different features:
QoS input Policing
TCP normalization and changes to the security algorithm (TCP state bypass goes here)
CSC if being used
Application inspection (the FTP one)
ETC
So in our case .bump we are matching the second rule even though the FTP inspection is before
Regards,
Julio
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-13-2013 08:13 PM
Hello Brett,
What the TCP bypass looks for is basically let the ASA know " We are not going to be as restrictive as we were with TCP sessions before, if we dont follow the 3 way hanshake as an example we will not care". So you are basically removing some security checks right there if u use it,
Why would u use it?
You have assymetric routing on ur network, your applications are not behaving as an RFC compliance application for certain protocol, etc.
Now, the check will be done just like an ACL( from top to bottom )and as long as there is a match, we will apply the action without looking any further.
In this case if you are using regular FTP ports to connect u should be hitting the regular inspection over the class inspection_default.
Regards,
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-13-2013 09:46 PM
See that's my point exactly. When do a 'show service-policy global' I don't see any hits on the 'Inspect: ftp' rule (under the inspection_default class-map) which is above the 'tcp-bypass' class-map, and.... FTP doesn't work. If I remove the 'tcp-bypass' class-map, FTP works.
My understanding (just like you said) was the rules at the top of the policy should get matched and actioned first; which in this case obviously isn't.
ALTHOUGH... using the ASDM, even though the 'tcp-bypass' rule is listed after the 'inspection_default' rule, the 'tcp-bypass' rule has a #1 next to it, where as the other class-maps do no thave a number next to it and I can't see anywhere where I could enter a sequence number under the 'inspection_default' rule...
Brett
06-13-2013 10:06 PM
Hello Brett,
After taking some time to think about the basics I remembered something:
A specific traffic flow can match more than one class-map and then actions will be applied to the flow as configured (more than one as the features are different)
For example u can inspect your FTP traffic on a class-map FTP and then on a class-map called Police you could police that same traffic,
Do u follow me till here?
Now there is an order of operations for the different features:
QoS input Policing
TCP normalization and changes to the security algorithm (TCP state bypass goes here)
CSC if being used
Application inspection (the FTP one)
ETC
So in our case .bump we are matching the second rule even though the FTP inspection is before
Regards,
Julio
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-13-2013 10:56 PM
Thanks Julio,
That helps me out alot. I will be bookmarking this post while I do a little research on the subject
I appreciate your time!
Best Regards,
Brett
06-14-2013 08:50 AM
Hello Brett,
My pleasure to help,
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide