Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
468
Views
0
Helpful
0
Comments

Firewall as a Gateway Connectivity Issues

Ronaldo Renato Punzalan
Cisco Employee
Cisco Employee

‎08-22-2010 11:22 AM - edited ‎03-08-2019 06:35 PM

Introduction

Firewalls like Cisco ASA and FWSM use statefull inspection to protect traffic flows. One major requirement of successfully implementing stateful inspection is that both request (TCP SYN) and response (TCP SYN/ACK) flow must be seen by the firewall on the same corresponding ingress and egress interface. Otherwise, the firewall will treat it as TCP SYN attack or TCP SYN/ACK attack.

Core Issue

Most often the inside network is no longer flat, single vlan topology. Overtime, routers or layer 3 switches are added to expand or segment further the inside network.As a result, communication between servers on the inside on a different subnet can no longer communicate with inside nodes from other vlan when the servers use the firewall as a gateway and vice versa.

With the servers using the ASA as gateway to communicate to inside nodes, it created a asymmetric traffic flow.

Topology

ron_visio.jpg

Resolution

1. To avoid the asymmetric traffic flow between servers and clients, the least disruptive change is to have the servers use the router/layer 3 as their default gateway. Ensure the router and layer 3 switch still uses the firewall as gateway for internet access. This is scaleable as you do not need to worry about how many vlans on the inside.

The other option is to use static routes on the servers such as traffic flow destined to inside nodes will use the inside router instead of the default gateway. This is not scaleable as you will need to add an entry for evey inside vlan subnets.

2. Add a DMZ interface on the firewall and move the servers behind it. This way, the servers are still protected from both the inside and internet access.

3. Enable tcp state-bypass on the Firewall specific to traffic flow between the Servers and clients. Note that this is only considered as workaround only and not highly recommend. The reason is TCP state-bypass disables the state statefull inspection of the firewall. Either way, the traffic should not be crossing the firewall in the first place therefore I can be acceptable depending on security policy.

hostname(config)# access-list tcp_bypass extended permit tcp <servers-ip> <servers-subnet> <clients-ip> <clients-subnetmask>

hostname(config)# class-map tcp_bypass
hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"
hostname(config-cmap)# match access-list tcp_bypass

hostname(config-cmap)# policy-map tcp_bypass_policy
hostname(config-pmap)# class tcp_bypass
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass

hostname(config-pmap-c)# service-policy tcp_bypass_policy outside

Note: It is recommendated to more specific as much as possible when using tcp state-bypass.

Related Information

Checkout the configuration guide for more info on the TCP state bypass feature.

Labels:
Preview file
18 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents