Asymmetric routing in ASA – TCP state bypass

by Jimmy Larsson on February 1, 2010

Today I continued my work to fully understand MPF (Modular Policy Framework) and found a new cool feature in ASA 8.2: TCP State Bypass. By bypassing TCP state machine for certain traffic you can get around problems with asymettricrouting. In my home lab I built this scenario:

On my inside network I have this client host who wants to access the FTP-server on outside. However, there are multiple links between the networks and the routing seems to be assymmetric. My inside hosts outbound traffic leaves thru the router but the return traffic goes thru the firewall. What happens is that the ASA sees the SYN ACK return packet but havent seen the preceeding SYN-packet. The result is that it blocks the packet:

%ASA-2-106001: Inbound TCP connection denied from 192.168.1.50/21 to 10.0.11.100/59677 flags SYN ACK on interface outside
%ASA-2-106001: Inbound TCP connection denied from 192.168.1.50/21 to 10.0.11.100/59677 flags SYN ACK on interface outside
%ASA-2-106001: Inbound TCP connection denied from 192.168.1.50/21 to 10.0.11.100/59677 flags SYN ACK on interface outside

She solution to this is to configure a policy-map that makes an exception to this state-machine-thing and allows that return-traffic anyway. Lets rock!

First, make sure that the inbound traffic gets thru. Doing state-bypass doesnt mean that acls will be bypassed. Since this is return traffic we need to permit permit with the source-port being 21.


access-list acl_outside extended permit tcp host 192.168.1.50 eq ftp any
access-group acl_outside in interface outside
!

Next, define which traffic to do state-bypassing with. It happens to be the same layout as the acl above. ;)


access-list ACL-STATE-BYPASS extended permit tcp host 192.168.1.50 eq ftp any

Now, create a class-map, give it a fancy name and match the access-list above…


class-map state-bypass
match access-list ACL-STATE-BYPASS

Next, a policy-map which references the class-map above and sets the tcp-state-bypass advanced option.


policy-map POLICY-OUTSIDE
class state-bypass
set connection advanced-options tcp-state-bypass

Finally. Apply it. Since its all about inbound traffic it needs to be applied to outside interface. Remember, if you already hava an service-policy for that interface, addit to that existing policy…

service-policy POLICY-OUTSIDE interface outside

Now, when trying to access my outside FTP-server from my inside client it works. I get this in the ASA-log:


%ASA-6-302303: Built TCP state-bypass connection 47 from outside:192.168.1.50/21 (192.168.1.50/21) to inside:10.0.11.100/37781 (10.0.11.100 /37781)

As you can see I get hitcounts in both access-lists:

fw1# sh access-list acl_outside
access-list acl_outside; 1 elements; name hash: 0xdcd74233
access-list acl_outside line 1 extended permit tcp host 192.168.1.50 eq ftp any (hitcnt=1) 0x6863abc6
fw1# sh access-list ACL-STATE-BYPASS
access-list ACL-STATE-BYPASS; 1 elements; name hash: 0xbe9fc05e
access-list ACL-STATE-BYPASS line 1 extended permit tcp host 192.168.1.50 eq ftp any (hitcnt=1) 0xad18b614
fw1#

Voila! Or “Vålla” as we say in Sweden!

{ 38 comments }

controltitle April 10, 2010 at 20:43

xanax xr suhtv ultram for pain control 8DD buy cialis yeqh cialis sales >:-((( cheap generic cialis cvxod

polyester April 12, 2010 at 17:07

genericviagra :-) )) long term effects of xanax rwk depakote %-( buy xanax evgdh

terry April 12, 2010 at 20:14

xanax 8-]] tramadol hcl >:-]]] cheap prices on cialis 565673 generic cialis swer

daria April 14, 2010 at 18:54

generic cialis 444 buy depakote 8-DDD xanax >:-DDD generic ultram tcwd cialis and zoloft delayed ejaculation alternatives 8-]]]

inessa April 14, 2010 at 20:20

generic viagra ntds ultram 5202 order depakote %DD buy valium online cheap %-DDD xanax prescriptions %DDD

widemktgbtnlink April 15, 2010 at 00:00

quick order valium %((( xanax xr =(( viagra %[[ tramadol hcl nsrhbn

expressrcparts April 16, 2010 at 17:45

gulf life insurance 4432 super slots casino 486 home insurance coverage 07422 cheap auto insurance aogzj car insurence 518311 slots 513066

Zex3it April 17, 2010 at 00:52

tramadol without prescription – tramadol without prescription buy over the counter, buy tramadol without prescription on line without a prescription.

http://pillsreview.net/i/tramadol/1_glam.png

tra tramadol hcl cheapest proffessional, good discount, without prescription. generic cheap price for tramadol without prescription in Michigan .

aiman April 21, 2010 at 18:04

acomplia 939 buy accutane 8) cialis 38876 ambien sleeping pill =( discount xanax 326495

risiko009 April 21, 2010 at 19:47

propecia srwuy cialis and zoloft delayed ejaculation alternatives :[[ accutane dlkmqi accutane bfek what is valium %DDD xanax online :(

nicglbiafx April 24, 2010 at 00:28

I am havingt a harf yime reading bloglg.vkitsofta.nu inn SeaMonkey 6..6, I just figuerd I would let you know!!

greew vides

xdqrbpiotj April 24, 2010 at 08:44

I cwn’t read blogg.kvistofta.nu in Safari 9.4, ust figured IO would tell you aboug it

vdeiols ojpine

yidcvxreni April 25, 2010 at 15:49

I am haging a tough time seeing blogg.kvistofta.nu in Firefox 6.3, I just thougjt I miigyht tell you aboiut it?

video sitess

senseidude April 27, 2010 at 18:07

retin :-OO accutane 144454 phentermine online %P xanax >:((

mikihiko April 27, 2010 at 21:11

cheap propecia generic 904 accutane :-) )) cialis generic 259817 ambien >:OOO xanax >:-)))

Pharmf251 April 29, 2010 at 13:19

Hello! dcecead interesting dcecead site!

Pharmk217 April 29, 2010 at 13:19

Very nice site! cheap viagra

Pharmb94 April 29, 2010 at 13:19

Very nice site! [url=http://apxoiey.com/qoxsqt/2.html]cheap cialis[/url]

Pharma904 April 29, 2010 at 13:20

Very nice site!

Pharmd116 April 29, 2010 at 13:20

Very nice site! cheap viagra , cheap viagra , cheap viagra , cheap viagra , cheap viagra ,

arielsfriend April 29, 2010 at 17:58

acomplia erw discounted phentermine dsj cialis :OO buy tramadol us pharmacies 585424 actos aciphex aciphex aciphex imitrex %-[[[

mizzteacup April 30, 2010 at 17:29

acomplia diet pill fbqp plavix and aciphex 680906 tramadol >:]] cheap online aciphex 1692 ambien 8-OO

tachatje May 1, 2010 at 00:32

propecia qagqbt phentermine vjpksa acomplia >:DD accutane online slwchq ambien sleep eating =-DDD

Knslrxdj May 2, 2010 at 04:21

comment3:& hydrocodone lol ohngzbu

Iqfyohmc May 2, 2010 at 04:22

That is amazingVS [url=http://www.d3kicks.com/forum/read.php?1,30242&q3=1]viagra[/url] xcioyat

Rshwtqfe May 2, 2010 at 04:23

comment4; buy viagra bhatpex

Zuicthbk May 2, 2010 at 04:25

your comment1;; diazepam gpvohad

Timdvkop May 2, 2010 at 04:26

comments!! [url="http://www.d3kicks.com/forum/read.php?1,30240&q3=1"]cheap fioricet[/url] vntqwlr

seo lace May 2, 2010 at 11:27

I am having a toughh time reafing blogg.kvistofvta.nu in Opera 1.7, just figured I might tell yu about it?

tramadol May 2, 2010 at 19:42

Hello!
tramadol , phentermine , xanax , viagra , cialis ,

Xqjphkdw May 3, 2010 at 01:32

comment1!!! cheapest cialis :-D iouawyb

Xdjyrkmb May 3, 2010 at 01:32

You’re just awesome* [url=http://www.d3kicks.com/forum/read.php?1,30258&q3=2]cheap propecia[/url] jpvbxms

Vuypghlz May 3, 2010 at 01:32

your comments5:+ fioricet kdwbyat

Akmscrgi May 3, 2010 at 01:32

Hello,- [url="http://www.d3kicks.com/forum/read.php?1,30239&q3=2"]buy diazepam[/url] dfyekps

federal grants May 3, 2010 at 05:25

Keep up the good work, I like your writing.

Tkqicegj May 3, 2010 at 22:23

comment 5:VS buy fioricet :) )) cvbgmsu

Psqytbfw May 3, 2010 at 22:23

I answer you… [url=http://www.d3kicks.com/forum/read.php?1,30238&q3=3]buy hydrocodone[/url] lexhzpr

Hvmqukbs May 3, 2010 at 22:24

comment 3:$ cheapest cialis lekqzbu

Comments on this entry are closed.

Previous post:

Next post: