cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
657
Views
0
Helpful
5
Replies

Help with Global Service Policies on ASA 8.6

Brett Verney
Level 1
Level 1

Hi all,

I just started a new role looking after a Network where not too long before I started had a complete Internet Edge redesign. It seems that FTP transactions destined to the Internet haven't been working since the changes.

Until yesterday I had no idea about the history of FTP and why it needs special attention. i.e. 'Active' mode won't work with NAT and 'Passive' mode requires addtional ports to be opened on random high port numbers, and, without 'FTP inspection' enabled via a service policy, requires those 'random' port numbers to be opened outbound on the Firewall.

Long story short I found a 'tcp-bypass' class map located under the global policy which seemed to be bypassing the state tracking for ALL TCP. When I remove this class map from the global policy, FTP works!! I suspect this is due to the global policy using the class 'inspection_default' where FTP is being inspected and allowing the FTP client to connect to the server on those random port numbers that it requires. However I have no idea if removing the -tcp-bypass' class map is breaking any other TCP sessions, or why it was implemented in the first place.

Correct me if I'm wrong (because a lot of this is new to me), but shouldn't the global policy match and action the 'inspection_default' map before it processes the 'tcp-bypass' map?

My config is below...

class-map tcp-bypass

match access-list tcp-bypass

class-map PROXY-STATE-BYPASS

match access-list tcp-bypass

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class tcp-bypass

  set connection advanced-options tcp-state-bypass

class class-default

  user-statistics accounting

policy-map PROXY-STATE-BYPASS-PMAP

class PROXY-STATE-BYPASS

  set connection advanced-options tcp-state-bypass

!

service-policy global_policy global

Any help/advice would be greatly appreciated!!

Brett

ps. There are no service policies applied to any of the ASA's interfaces.

1 Accepted Solution