TCP Bypass not working

markus.bock · ‎10-10-2020

Hello,

I have a problem with asymetric routing for a host in our network. A connection comming from www to the host is going through a third party utm appliance to the host 10.10.10.99. The default gateway is a cisco asa 10.10.10.1. In the log of the asa i can see the message

Deny TCP (no connection) from 10.10.10.99/3389 to 80.122.157.55/34334 flags SYN ACK on interface NET_10.10.10.0_Inside

This shows me a problem with asymmetric routing. I cannot change the routing and access from www to the host, I would like to configure TYP Bypass for this host but I don't get it to work.

I have configured the following policy

access-list tcp_bypass extended permit tcp host 10.10.10.99 any
class-map tcp_bypass
match access-list tcp_bypass
policy-map tcp_bypass_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
service-policy tcp_bypass_policy interface NET_10.10.10.0_Inside

But when I try to access the host I still get the log entries from above.

Can anybody please help me to find the problem please?

Francesco Molino · ‎10-10-2020

Hi

After enabling the tcp bypass policy, are you still getting the same error?

I don't know your real design but have you checked if PBR would be a better solution to forward back this traffic to the other UTM from that particular host?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

markus.bock · ‎10-10-2020

Yes, I get the same log entry.

Good idea with PBR. I will try it

Thanks and kind regards

markus.bock · ‎10-11-2020

PBR is not the solution for my problem because the ASA is out internal gateway for all networks.

I need the tcp-bypass working but I don't understand why it is not working

Aref Alsouqi · ‎10-11-2020

The destination IP on the TCP bypass ACL should be the remote host, is that what you configured? Also, you would need to apply the same-security-traffic permit intra-interface command to allow the traffic to enter and exit out of the same interface.

Also, please a look at this post of mine about TCP bypass on the ASA:

https://bluenetsec.com/asa-tcp-state-bypass/

markus.bock · ‎10-11-2020

As Destination I have configzred ANY. The source host ist 10.10.10.99 and same-security-traffic permit intra-interface is set.

As service I have configured TCP because of the dynamic ports.

MHM Cisco World · ‎10-12-2020

Does it solve or NOT?
same-security-traffic is for the traffic for same interface,
here the traffic is enter via OUTSIDE of UTM and exit from INSIDE of ASA.
I check the config can you test the following,
change the real IP address with Mapped address in Extended ACL.

MHM Cisco World · ‎10-12-2020

make Host initiate the traffic toward the ASA outside
OR
make inside with different VLAN,
one for UTM and other for ASA
and make UTM the default gateway.

last thing ASA not support PRB

Aref Alsouqi · ‎10-12-2020

Can you please share the topology along with the IP addresses?, I think the 10.10.10.99 should be the destination host on the ACL, not the source, but if you can share the topology I can get my head around it better.

markus.bock · ‎10-13-2020

Attached is the network diagram.

I have tested it with a server in a other vlan with the same result.

Marius Gunnerud · ‎10-13-2020

could you run a packet tracer on the ASA to verify we are hitting the TCP bypass configuration.

--
Please remember to select a correct answer and rate helpful posts

Aref Alsouqi · ‎10-13-2020

I think in this case you would need tcp bypass to be implemented on both the internal and external firewall.

markus.bock · ‎10-13-2020

Of course do I need it on the internal and on the external firewall. But tcp bypass needs to work ion the internal at first and this is the problem

I'll do a paket capture tomorow

Thanks

Aref Alsouqi · ‎10-13-2020

Try to add this on the external firewall:

access-list tcp_bypass extended permit tcp any host 10.10.10.99
access-list tcp_bypass extended permit tcp host 10.10.10.99 any

and this on the internal:

access-list tcp_bypass extended permit tcp host 10.10.10.99 any

As the ASA would create the state entries tied to the interfaces (unless you configure interfaces zones) the traffic leaving the external firewall out of the DMZ interface would not match the return traffic via the transfer interface, hence it would be dropped. This is why I think you need two rules on the tcp_bypass ACL. One to match the traffic leaving its DMZ interface towards the host 10.10.10.99, and another to match the received traffic from the host 10.10.10.99 on transfer interface. However, for the internal firewall, it would only have one possibility to see the host 10.10.10.99 traffic via VLAN10 interface, therefore, we would need only rule on the internal firewall.

Marius Gunnerud · ‎10-14-2020

Could you please verify if traffic is actually matching your ACL that is used for TCP bypass. This should be visible in a packet tracer

--
Please remember to select a correct answer and rate helpful posts