cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2579
Views
0
Helpful
7
Replies

How to allow asymmetric traffic in FWSM

redsoftcisco
Level 1
Level 1

Dear Experts,

My FWSM is blocking the return traffic because it retuns from different VLAN than the traffic has been established , which is normal . I would like to enable the FWSM to allow this kind of traffic , do you know how to do it ??  my traffic could be TCP, UDP or ICMP.

Regards

Red1

7 Replies 7

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Red1,

TCP state bypass is what you're looking for, AFAIR it was introduced in FWSM 4.0.

M.

Thanks Marcin for your reply , but I think this is only for TCP traffic , how can I do the same for UDP and ICMP traffic ?

Regards

Red1

UDP is connectionless, so it'll work with assymmetric routing by itself, if there's corresponding permission in the interface ACL. Same thing with icmp. For TCP, howewer, you should do what Marchin said.

Andrew Phirsov wrote:

UDP is connectionless, so it'll work with assymmetric routing by itself, if there's corresponding permission in the interface ACL. Same thing with icmp.

Are you sure about this?  Is this something that you've "tested" and verified that it is working.

Thanks,

I'm sure about this. We have this kind of asymmetric routing in our network. The result of this, in case of udp/icm (as well as tcp howewer), is that each packet will be seen by ASA as part of a separate flow.  So inspection won't work and you'll have to place access lists on both inside and outside interfaces to permit this kind of traffic.

        TCP is  different in a way that it has theree-way-handshake. And even if your firewall complitely open from both ends, but the first packet in a flow, traversing through some of ASA's interface is  not TCP-SYN (i.e. ASA sees SYN-ACK but didn't see SYN, or ASA sees ACK, bud didn't see SYN-ACK), asa will drop this packet. With udp/icmp this is not a problem.

ok since I don't have an ASA to test out and I work mostly with Checkpoint firewalls so I know this particular work in a checkpoint environment but I am wondering if the same thing can work with ASA/FWSM:

- asa firewall with three interfaces "external", "internal" and dmz interfaces, 1.1.1.254 2.2.2.254 and 3.3.3.354, respectively,

- a host X sit on the external interfaces with an IP address of 1.1.1.1

- a host Y with an IP address of 2.2.2.1 connected to the "internal"

- a host Y with an IP address of 3.3.3.1 connected to the "dmz" interface,

- a host Y with a default gateway of 2.2.2.254,

Host X wants to be able to communicate with both IP address of 2.2.2.1 and 3.3.3.1 with tcp/udp/icmp/ospf/gre, etc.

As you can see when host X communicates with hostY on ip address of 3.3.3.1, host Y will use the return path of the default gateway of 2.2.2.254, thus creating an asymetric route.  In other words, traffics from host X will hit IP address 3.3.3.1 via the DMZ interface but the return traffics will use the "internal" interface. 

Can the ASA do this and will it work for all traffics tcp/udp/icmp/gre/ospf? 

Checkpoint can do this but I am wondering if ASA/FWSM can do this as well for this kind of asymetric route environment?  If it does, in what version?

Hi Andrew ,

What happen to me , is all traffic is being dropped when it return from different vlan , there are some cases of symmetric TCP/UDP traffic which is being forwarded by the firewall , that means the ACL is configured correctly. so why the UDP asymmetric traffic is being dropped ?  I have configured the interface with same security level "99" and added the inter/intra interfaces permit as below :

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

but the issue is still persisting.

Regards

Red1

Review Cisco Networking for a $25 gift card