Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2016
Views
10
Helpful
4
Replies

ASA5500: TCP state bypass for traffic, coming from IPsec tunnel

Go to solution
Jaaazman777
Level 1
Level 1

‎02-07-2012 12:02 AM - last edited on ‎02-21-2020 11:51 PM by Community Manager

Hello!

We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached)

All branch offices are connected to central asa though IPsec.

The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel

According to the sheme:

  • 172.16.1.0/24 is on of the branch office LANs
  • 10.1.1.0/24 and 10.2.2.0/24 are central office LAN
  • The crypto ACL looks like  permit ip 172.16.1.0/24 10.0.0.0/8


The aim is to

  • restrict access from 172.16.1.0/24 to 10.1.1.0/24


When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok -  they are dropped by acl2

When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path

I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't help.

The central asa 5500 is configured according to cisco doc http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html

access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0

!

class-map tcp_bypass_map

description "TCP traffic that bypasses stateful firewall"

match access-list tcp_bypass_acl

!

policy-map tcp_bypass_policy

class tcp_bypass_map

set connection advanced-options tcp-state-bypass

!

service-policy tcp_bypass_policy interface outside

service-policy tcp_bypass_policy interface inside

Does anyone know, how to make TCP State Bypass works properly?

Labels:
Preview file
178 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajay chauhan
Level 7
Level 7
In response to Jaaazman777

‎02-07-2012 08:01 AM

I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.

You can still control access on center site by using vpn-filters.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Thanks

Ajay

View solution in original post

4 Replies 4

Go to solution
ajay chauhan
Level 7
Level 7

‎02-07-2012 04:58 AM

TCP bypass is not required.

You should have /24 in crypto ACL that will automatically restrict access.

Thanks

Ajay

0 Helpful

Go to solution
Jaaazman777
Level 1
Level 1
In response to ajay chauhan

‎02-07-2012 05:57 AM 

You should have /24 in crypto ACL that will automatically restrict access.

Ajay, in my first post I noticed that we need to restrict access only on central firewall, not on branch offices with the help of crypto acl.

Do you really think, that I didn't guess about this simple solution, regarding TCP state bypass?

Imagine, that you have 30 branch offices and 30 IPsec tunnels to them. When you need to grant access to one host in central office from all your regions - you must add this host at leat to 31 crypto acl (30 at central asa and one acl at central asa, if to use object-group)!!! it is extremely inconvenient!

Go to solution
ajay chauhan
Level 7
Level 7
In response to Jaaazman777

‎02-07-2012 08:01 AM

I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.

You can still control access on center site by using vpn-filters.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Thanks

Ajay

Go to solution
Jaaazman777
Level 1
Level 1
In response to ajay chauhan

‎02-07-2012 10:55 PM

Ajay, thank you for your advice!

vpn-filter works great!

It is really very useful tool for restricting access to great amount of IPsec tunnels with the help of only one acl

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents