Solved: How to config so firewall MAINTAINS PAT translations?

jmaxwellUSAF · ‎02-08-2023

Hello.

SYMPTOM:

-On enterprise ethernet LAN, workstation connects first-time through ASA-5525 with sftp to remote vendor. No symptom.
-On enterprise ethernet LAN, workstation connects second-time through ASA-5525 with sftp to remote vendor. Symptom is that after 3-way-handshake, remote vendor never again sends packets.

-On enterprise public Wifi (different gateway), workstation connects first-time through Ubiquity firewall with sftp to remote vendor. No symptom.
-On enterprise public Wifi (different gateway), workstation connects second-time through Ubiquity firewall with sftp to remote vendor. Symptom is that after 3-way-handshake, remote vendor never again sends packets.
---

My theory is that the random workstation SOURCE PORT is different between 1st and 2nd connection, but the remote vendor OSI layer-7 application is maintaining the 1st stale session, so it's sending return communication with stale PAT translation details; and thus workstation does not receive new communication return data.

Questions:

1. What are your thoughts on my theory? If it is incorrect, what do you suggest?

2. If you agree with my theory, what is the ASA-5525 PAT config that will solve this symptom?

Thank you.

MHM Cisco World · ‎02-08-2023

Now, I know previously that ASA support FTP inspection but not SFTP
SFTP is FTP over SSH
so it need some sort of config
https://community.cisco.com/t5/network-security/sftp-application-inspection/td-p/1099303

check this link see how we can bypass SFTP over ASA.
thanks
MHM

View solution in original post

MHM Cisco World · ‎02-08-2023

you meaning that same source send to destination, but the ASA use only old PAT entry and hence the traffic drop ?
If Yes then reduce the TCP timeout to make ASA always refresh the xlate entry for TCP

jmaxwellUSAF · ‎02-08-2023

There is an important detail-- All other re-connects to the www are fine. It is this particular vendor that has the symptom. Thus, my theory is that this vendor's application config maintains stale OSI layer 4 or 5 info, and thus communicates back with this stale info, and thus the ASA-5525 drops the traffic.

In this exact situation, is "reduce the UDP timeout to make ASA always refresh the xlate entry for UDP" still the solution?

If yes, then what is the ASA 5525 CLI commands that fix this?

Thank you MHM!

Georg Pauwen · ‎02-08-2023

Hello,

you cannot set the xlate timeout for UDP connections directly. You could use a policy map as in the example below:

ASA5525(config)# access list UDP_ACL extended permit ip any 192.168.1.11 255.255.255.255
ASA5525(config)# class-map UDP_CM
ASA5525(config-cmap)# match access-list UDP_ACL
ASA5525(config)# policy-map UDP_PM
ASA5525(config-pmap)# class UDP_CM
ASA5525(config-pmap-c)# set connection timeout UDP

MHM Cisco World · ‎02-08-2023

Now, I know previously that ASA support FTP inspection but not SFTP
SFTP is FTP over SSH
so it need some sort of config
https://community.cisco.com/t5/network-security/sftp-application-inspection/td-p/1099303

check this link see how we can bypass SFTP over ASA.
thanks
MHM

jmaxwellUSAF · ‎02-08-2023

.

jmaxwellUSAF · ‎02-08-2023

.

jmaxwellUSAF · ‎02-09-2023

link says...

"Server----I(ASA)O----client

Server inside, client outside, normally, need to have static mapping for the server and open port 22 to the server's mapped IP for traffic to flow through."

"normally, need to have static mapping for the server" Why?