02-07-2012
12:02 AM
- last edited on
02-21-2020
11:51 PM
by
cc_security_adm
Hello!
We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached)
All branch offices are connected to central asa though IPsec.
The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel
According to the sheme:
The aim is to
When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok - they are dropped by acl2
When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path
I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't help.
The central asa 5500 is configured according to cisco doc http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
!
class-map tcp_bypass_map
description "TCP traffic that bypasses stateful firewall"
match access-list tcp_bypass_acl
!
policy-map tcp_bypass_policy
class tcp_bypass_map
set connection advanced-options tcp-state-bypass
!
service-policy tcp_bypass_policy interface outside
service-policy tcp_bypass_policy interface inside
Does anyone know, how to make TCP State Bypass works properly?
Solved! Go to Solution.
02-07-2012 08:01 AM
I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.
You can still control access on center site by using vpn-filters.
Thanks
Ajay
02-07-2012 04:58 AM
TCP bypass is not required.
You should have /24 in crypto ACL that will automatically restrict access.
Thanks
Ajay
02-07-2012 05:57 AM
You should have /24 in crypto ACL that will automatically restrict access.
Ajay, in my first post I noticed that we need to restrict access only on central firewall, not on branch offices with the help of crypto acl.
Do you really think, that I didn't guess about this simple solution, regarding TCP state bypass?
Imagine, that you have 30 branch offices and 30 IPsec tunnels to them. When you need to grant access to one host in central office from all your regions - you must add this host at leat to 31 crypto acl (30 at central asa and one acl at central asa, if to use object-group)!!! it is extremely inconvenient!
02-07-2012 08:01 AM
I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.
You can still control access on center site by using vpn-filters.
Thanks
Ajay
02-07-2012 10:55 PM
Ajay, thank you for your advice!
vpn-filter works great!
It is really very useful tool for restricting access to great amount of IPsec tunnels with the help of only one acl
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide