cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1553
Views
20
Helpful
7
Replies

How to config so firewall MAINTAINS PAT translations?

Hello.

SYMPTOM:

-On enterprise ethernet LAN, workstation connects first-time through ASA-5525 with sftp to remote vendor. No symptom.
-On enterprise ethernet LAN, workstation connects second-time through ASA-5525 with sftp to remote vendor. Symptom is that after 3-way-handshake, remote vendor never again sends packets.

-On enterprise public Wifi (different gateway), workstation connects first-time through Ubiquity firewall with sftp to remote vendor. No symptom.
-On enterprise public Wifi (different gateway), workstation connects second-time through Ubiquity firewall with sftp to remote vendor. Symptom is that after 3-way-handshake, remote vendor never again sends packets.
---

My theory is that the random workstation SOURCE PORT is different between 1st and 2nd connection, but the remote vendor OSI layer-7 application is maintaining the 1st stale session, so it's sending return communication with stale PAT translation details; and thus workstation does not receive new communication return data. 

Questions:

1. What are your thoughts on my theory? If it is incorrect, what do you suggest?

2. If you agree with my theory, what is the ASA-5525 PAT config that will solve this symptom?

Thank you.

1 Accepted Solution

Accepted Solutions

Now, I know previously that ASA support FTP inspection but not SFTP 
SFTP is FTP over SSH 
so it need some sort of config 
 https://community.cisco.com/t5/network-security/sftp-application-inspection/td-p/1099303

check this link see how we can bypass SFTP over ASA. 
thanks 
MHM 

View solution in original post

7 Replies 7

you meaning that same source send to destination, but the ASA use only old PAT entry and hence the traffic drop ?
If Yes then reduce the TCP timeout to make ASA always refresh the xlate entry for TCP

There is an important detail-- All other re-connects to the www are fine. It is this particular vendor that has the symptom. Thus, my theory is that this vendor's application config maintains stale OSI layer 4 or 5 info, and thus communicates back with this stale info, and thus the ASA-5525 drops the traffic.

In this exact situation, is "reduce the UDP timeout to make ASA always refresh the xlate entry for UDP" still the solution?

If yes, then what is the ASA 5525 CLI commands that fix this?

Thank you MHM!

Hello,

you cannot set the xlate timeout for UDP connections directly. You could use a policy map as in the example below:

ASA5525(config)# access list UDP_ACL extended permit ip any 192.168.1.11 255.255.255.255
ASA5525(config)# class-map UDP_CM
ASA5525(config-cmap)# match access-list UDP_ACL
ASA5525(config)# policy-map UDP_PM
ASA5525(config-pmap)# class UDP_CM
ASA5525(config-pmap-c)# set connection timeout UDP

Now, I know previously that ASA support FTP inspection but not SFTP 
SFTP is FTP over SSH 
so it need some sort of config 
 https://community.cisco.com/t5/network-security/sftp-application-inspection/td-p/1099303

check this link see how we can bypass SFTP over ASA. 
thanks 
MHM 

.

.

link says...

"Server----I(ASA)O----client

Server inside, client outside, normally, need to have static mapping for the server and open port 22 to the server's mapped IP for traffic to flow through."

"normally, need to have static mapping for the server" Why?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: