RST not sent across via ASA - Page 2

ankurs2008 · ‎06-22-2010

hi halijenn / experts

Hi i have a query related to IDS sending RST from inside interface of the Firewall . Please let me know if my understanding is correct

ASA is having Inside , DMZ and Outside interface , IDS is in Inside interface , user is in DMZ.

1) When a TCP Connection is intiated from DMZ interface to Outside , IDS sniffs that and sends RST

2) Switch port (say fa0/5) which is configured for Spanning and connected to the IDS Sensor sniffing interface should have following features

# Disabling “ learning” on the SPAN port, as Sensor is going to spoof the source IP and MAC address of the destination of the original packet as switch has to allow this through

# Allow input on the SPAN port so the switch will accept the RST packet, since normally they are only one way.

Eg:

monitor session 1 source vlan 20 rx
monitor session 1 destination int fa0/5 ingress vlan 20

Please let me know if my understanding over here is correct

Now my query is that

a) when user send TCP Packet to the Outside , IDS sniffs and discards that packet due to its configuration .Hence , to whom IDS sends RST ideally ? (whether to source or destn ?).What will be the Source IP and Destination IP of that RST .According to me it will send RST to the destination .If it sends RST to the destination , what it will intimate to the User (DMZ) ?
b) Do we need to have access rules configured in firewall to allow that RST to be sent across to the destination (Considering it sends RST to the destination)
c) Will firewall check its state table and will try to deny that RST packet in any case . The reason is that i am getting the following error when user 172.16.10.9 is sending a packet outside , IDS is not able to send RST and user is able to send and receive the web page correctly (which ideally should not happen)

1.Jun 19 2010 19:07:11 COLASA : %ASA-6-106015: Deny TCP (no connection) from 63.196.22.110/80 to 172.16.10.9/1047 flags FIN PSH ACK on interface inside

This log says that IDS (after intercepting the packet received from source) is trying to build new conn frm Inside to DMZ to reply to the user and in this process it makes it source to 63.196.22.110 (that of destn) but somehow getting denied.

2.Jun 19 2010 19:07:11 COLASA1 : %ASA-6-106015: Deny TCP (no connection) from 172.16.10.9/1047 to 63.196.22.110/80 flags RST ACK on interface inside

This log says that IDS is trying to send RST to the destination (with source as 172.16.10.9 now) however something in firewall is preventing to do so

Please guide me how to proceed

Jennifer Halim · ‎06-30-2010

ASA will only tear down the TCP session when it actually receives the RST packet, and that is what it did. If you take a look at the capture, all the PSH packets are seen back and forth between the web server and client, and at the end of TCP session, you would see the RST packet.

ASA will not tear down the TCP connection unless it receives the RST or FIN packet to tear down the TCP connection, and/or if the connection has been idle and the idle timeout expires.

RST is the last packet that i see in the packet capture. Once the web server receives the RST packet, it will also tear down the TCP session at its end.

ankurs2008 · ‎07-01-2010

hi halijenn,

thanks for the reply . i have few queries, they may be incorrect questions but that is what running into my mind .

1) Is the RST seen in packet capture , the same one which is sent from the Inside interface (i.e from the IDS) with the spoofed IP towards the destination ?

2) I agree that one seeing RST , firewall is tearing down the connection but is there any signifcance of tearing down that connection , now when the user has already received the webpage now ?

3) I dont think that the web server is receving the RST packet .If yes , can we see that RST packet passing through IDS in packet captures or syslogs ? We defintely do see the "Deny TCP no connection " with RST as the reason but i cannt see the RST packet passing through the firewall to reach web server outside

ankurs2008 · ‎07-02-2010

hi halijenn

request you to please reply to my below queries

Jennifer Halim · ‎07-02-2010

1) I am not sure who sends the RST packet, but the RST is definitely being sent from the Inside towards the Outside.

2) in regards to this question, as far as the ASA is concern, it doesn't know when the RST supposed to be sent. Whether it's after or before the data has been sent, because as far as ASA is concern, it's just a TCP session. The RST is sent by the IPS because it is matching a specific signature, however, ASA does not have the knowledge of that.

3) The web server should be receiving the RST packet because I saw that same packet on the outside packet capture. Packet# 237 on the outside capture is exactly the same as packet# 261 on the inside capture. Packet# 237 is the RST that is being forwarded out the ASA outside interface towards the web server.