cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

U-Turning/Hairpinning on ASA

15685
Views
10
Helpful
0
Comments

 

Scenario:

 

Internet-->ASA(192.168.1.1)----(192.168.1.0/24)---->(192.168.1.254)Router---->172.16.10.0/24

 

Requirement:

 

192.168.1.0/24 network needs to talk to 172.16.10.0/24 network, default gateway on 192.168.1.0/24 machines is the interface of ASA(192.168.1.1).

 

By default ASA won't allow the traffic to leave same interface on which it enters. Thus when 192.168.1.0/24 machines try to go to 172.16.10.0/24 subnet, here is how the communication happens:

 

- 192.168.1.10 (any machine on 192.168.1.0/24 network with gateway set to 192.168.1.1) opens a TCP connection to 172.16.10.10 (machine on 172.16.10.0/24 subnet) the initial SYN packet of TCP 3-way handshake goes through ASA, which has a route to 172.16.10.0/24 network pointing to 192.16.1.254.

- By default ASA won't allow this u-turn. We can add following command to override this behavior:

 

same-security-traffic permit intra-interface

 

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1421315

 

- Because of above command ASA will forward the SYN packet to 192.168.1.254 which further forwards it to actual destination 172.16.10.10.

- 172.16.10.10 responds with SYN,ACK destined to 192.168.1.10, this packet arrives on router and since 192.168.1.0/24 is directly connected to it instead of sending this to ASA it does arp broadcast for 192.168.1.10 and directly sends packet to machine (assuming proxyarp on inside is disabled).

- 192.168.1.10 sends ACK (3rd packet of TCP 3 way handshake) again through ASA, but since ASA hasn't seen SYN,ACK for this connection it will drop it and thus communication is unsuccessful.

 

Configuration

Here are the commands that we can add on ASA to accomplish this:

 

Pre 8.2:

 

Configuring NAT for both subnets:

 

nat (inside) 1 192.168.1.0 255.255.255.0

global (inside) 1 interface

static (inside,inside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0 norandom nailed

 

Adding the nailed option to the static command causes TCP state tracking and sequence checking to be skipped for the connection. More info can be found here:

 

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1512466

 

same-security-traffic permit intra-interface

sysopt noproxyarp inside

failover timeout -1

 

Info on sysopt noproxyarp and failover timeout command:

 

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975

 

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1931598

 

8.2 onwards:

 

Configuring NAT for both subnets (without nailed option):

 

nat (inside) 1 192.168.1.0 255.255.255.0

global (inside) 1 interface

static (inside,inside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0

 

same-security-traffic permit intra-interface

 

sysopt noproxyarp inside

 

Configuring TCP-STATE-BYPASS on ASA: norandomseq nailed command is deprecated and now we use this feature to accomplish the same thing. Also with config mentioned below we do not need "failover timeout" command anymore.

 

NOTE: Match only required traffic as this feature will  force ASA to only check for interface acl, all other security checks are disabled for traffic matching this flow.

 

access-list TCP-STATE-BYPASS permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0

 

class-map TCP-STATE-BYPASS

match access-list TCP-STATE-BYPASS

 

policy-map inside_policy

class TCP-STATE-BYPASS

set connection advanced-options  tcp-state-bypass

 

service-policy inside_policy interface inside

 

 

With the config above ASA allows asymmetric routing for above flow.

 

 

 

- Sourav Kakkar

Create
Recognize Your Peers
Content for Community-Ad