10-12-2010 12:37 PM
Hi all,
I have a quite strange VPN architecture included and i have some problems that i am not able to resolve:
- I use the ssl vpn gateway to allocate internal IP adresses of the local network described in the diagramm (network 8.8.2.0 or 8.8.3.0 depending on the tunnel-group.
- The purpose is for vpn clients to gain directly access to the internal network.
This works fine if there are strictly internal communications within the network. However recently we installed an application that needs access to the two networks. No problem i thought, but i was wrong, there seems to be a routing problem inherent to the architecture in place.
Let me explain the problem:
-When i am accessing to the vpn, for example i will be given the 8.8.3.5 ip adress.
- Im am running the application which needs to open a page on the web server located at 8.8.2.120
- the asa receive my tcp syn datagram and forward it directly to the directly connected interface fa0/1 (based on the routing table)
- the web server sends back the response but sends it on its default gateway which is the cisco 6509.
- The 6509 sends it on its svi vlan 2000
- and finaly the ASA receives it on its fa0/2 interface but seems drops it since it opened a tcp connection on fa0/1 and receives the response on fa0/2.
What i would like is for tunneled traffic to bypass connected routes and forward it to a tunnel default gateway. This would ensure that the path for the request and the response would be the same.
I would like to know if there are debug commands for routing decisions to validate my theory ?
Do you know of any answer to resolve this problem ?
Many thanks for your help.
Solved! Go to Solution.
10-13-2010 04:25 PM
When setting up TCP state bypass always think "which way is the SYN packet coming from?".
Routing failed messages have always source and destination, are you sure copied the whole message?
BTW, instead of giving SSL clients addresses assigned to vlan2000? Why not give them a separate subnet and route it back through proper interface?
I'd also want to check your config and routing table :-)
Marcin
10-13-2010 04:38 PM
Cant we assign a specfic route on the server itself that states that route to the SSL VPN subnets exists through the asa f0/1 rather making the server use the Default route that sends it to the Cisco 6509.
manish
10-14-2010 06:36 AM
10-12-2010 02:19 PM
Well first of all I'm not sure why not correct the routing.... ;-)
That being said TCP state bypass is what you're looking for as a workaround:
Marcin
10-13-2010 02:00 PM
Thanks for your help !
I did some tests on your workaround, but i can't apply this command and i don't quite understand how to apply it. The cisco doc is a little confusing since there is two ASA to config, and it is not precised if on this example, the command need to be configured on ASA 1 or on ASA 2.
On a first thought, it was logical for me to apply tcp state bypass to the traffic return (i.e 8.8.2.120 to 8.8.3.5) but it seems to not work correctly. What i did:
access-list tcp_bypass extended permit tcp 8.8.2.0 255.255.255.0 8.8.3.0 255.255.255.0
hostname(config)# class-map tcp_bypass
hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"
hostname(config-cmap)# match access-list tcp_bypass
hostname(config-cmap)# policy-map tcp_bypass_policy
hostname(config-pmap)# class tcp_bypass
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass
hostname(config-pmap-c)# service-policy tcp_bypass_policy outside
Thanks for your help.
10-13-2010 04:25 PM
When setting up TCP state bypass always think "which way is the SYN packet coming from?".
Routing failed messages have always source and destination, are you sure copied the whole message?
BTW, instead of giving SSL clients addresses assigned to vlan2000? Why not give them a separate subnet and route it back through proper interface?
I'd also want to check your config and routing table :-)
Marcin
10-13-2010 04:38 PM
Cant we assign a specfic route on the server itself that states that route to the SSL VPN subnets exists through the asa f0/1 rather making the server use the Default route that sends it to the Cisco 6509.
manish
10-14-2010 06:36 AM
That or a tunneled route could potentially be a solution.
Marcin
10-14-2010 12:53 PM
Yes in fact, i was relying on my memory to rewrite the log message, so it was only a part of this message.
A tunneled route did the job, i wrote:
access-list tcp_bypass2 extended permit tcp 8.8.2.0 255.255.255.0 8.8.3.0 255.255.255.0
access-list tcp_bypass extended permit tcp 8.8.3.0 255.255.255.0 8.8.2.0 255.255.255.0
hostname(config)# class-map tcp_bypass
hostname(config-cmap)# match access-list tcp_bypass
hostname(config)# class-map tcp_bypass2
hostname(config-cmap)# match access-list tcp_bypass2
hostname(config-cmap)# policy-map tcp_bypass_policy
hostname(config-pmap)# class tcp_bypass
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass
hostname(config-cmap)# policy-map tcp_bypass_policy2
hostname(config-pmap)# class tcp_bypass2
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass
hostname(config-pmap-c)# service-policy tcp_bypass_policy outside
hostname(config-pmap-c)# service-policy tcp_bypass_policy2 inside2
hostname(config)# route inside2 0.0.0.0 0.0.0.0 8.8.3.254 tunneled
And that worked.
So many thanks to you two for your help.
As a side note, i cannot use a proper adressing scheme for the vpn client pool because i dont have the control of the cisco 6509, so for us the best solution was to have a direct access to internal network.
10-14-2010 01:32 PM
Cool, glad it's working :-)
I think we can all agree it's not a very neat workaroud but at least a working one.
I wonder if you could squeeze those two ACLs into one ACL and one class-map and apply it under global policy instead of per-interface one.
Would make it a bit more readable. But hey if it's working I understand you might not want to touch it
Marcin
10-14-2010 01:54 PM
Well, yeah i agree for this workaround but with this type of architecture (quite a odd one in fact), this is the best that you two helped us to find.
For the single acl and the single class map, i will try this tomorrow if i have some free time (its 11' PM over here...)
Anyway many thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide