Introduction
Firewalls, such as Cisco ASA and FWSM, use statefull inspection to protect traffic flows. One major requirement of successfully implementing statefull inspection is that both request (TCP SYN) and response (TCP SYN/ACK) must be seen by the firewall on the same corresponding ingress and egress interfaces. Otherwise, the firewall will treat it as TCP SYN attack or TCP SYN/ACK attack and drop the packet.
Core Issue
Most often inside network starts with a flat, single vlan topology. Overtime, routers or layer 3 switches are added to expand or segment further the inside network. As a result, communication between inside servers and clients where servers use the firewall as gateway no longer work.
With the servers using the firewall as gateway to communicate to inside nodes, asymmetric traffic flows can be introduced with the new topology. For example (see topology), the TCP SYN from clients to servers will never cross the firewall because the router has an interface on the same ip subnet as the servers. As a result, the server's TCP SYN/ACK response will cross the firewall because the server uses the firewall as next hop/gateway to communicate to different ip subnets. Similar asymmetric behavior occurs if traffic is initiated from the servers towards the clients.
Note that when the firewall receives a SYN/ACK without a corresponding SYN, it will not only drop the SYN/ACK packet but will also send a RESET packet towards the sender of the SYN/ACK.
Topology
Resolution
1. To avoid the asymmetric traffic flow between servers and clients, the least disruptive change is to have the servers use the router/layer 3 as their default gateway. Ensure the router and layer 3 switch still uses the firewall as gateway for internet access. This is scaleable as you do not need to worry about how many vlans on the inside.
2. The other option is to use static routes on the servers such as traffic flow destined to inside nodes will use the inside router instead of the default gateway. This is not scaleable as you will need to add an entry for evey inside vlan subnets.
3. Add a DMZ interface on the firewall and move the servers behind it. This way, the servers are still protected from both the inside and internet access.
4. Enable tcp state-bypass on the Firewall specific to the traffic flow between the servers and clients. Note that this is only considered as a workaround and is not highly recommended. The reason is that TCP state-bypass disables the statefull inspection of the firewall. Either way, the traffic should not cross the firewall in the first place therefore the option may be acceptable depending on the company's security policy.
hostname(config)# access-list tcp_bypass extended permit tcp <servers-ip> <servers-subnet> <clients-ip> <clients-subnetmask>
hostname(config)# class-map tcp_bypass
hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"
hostname(config-cmap)# match access-list tcp_bypass
hostname(config-cmap)# policy-map tcp_bypass_policy
hostname(config-pmap)# class tcp_bypass
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass
hostname(config-pmap-c)# service-policy tcp_bypass_policy outside
Note: It is recommendated to more specific as much as possible when using tcp state-bypass. Check the release notes where
this feature is available.
Related Information
Checkout the configuration guide for more info on the TCP state bypass feature.