TCP State Bypass.
My studies are going slow a present as work is very busy! Not a bad thing really I was faced with an interesting problem last week at work. We installed a new site (site B) and it was required to talk with Site A. At Site A we have two firewalls; one is mainly used for remote access for sales and home workers the other for as an internal VPN between Site A and the Data Centre.
An IPsec VPN was set up from Site A to Site B, all traffic coming from Site B needed to go through a LAN analyzer (this monitor all LAN traffic and activity, it also caches data making it quicker for users to access data files at Site A)
First we put a route on the internal firewall at Site A, pointing to Site B via the public firewall.
FW_Private(config)# route inside 192.168.201.0 255.255.255.0 192.168.200.253
Next we had to enable TCP State Bypass., this was a feature put on the firmware 8.2.
TCP state bypass is a feature where the firewall will disable its TCP inspection for certain traffic types. This is used when there are asymmetric traffic flows that will cause the ASA to reset the connection because the ASA is only inspecting one direction of the traffic.
Put in the ACL
FW_Private(config)#access-list tcp_bypass extended permit tcp 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0 log
Then create the class map.
FW_Private(config)# class-map tcp_bypass
FW_Private(config-cmap)# description “Traffic to 192.168.201.0”
FW_Private(config-cmap)# match access-list tcp_bypass
Next the policy.
FW_Private(config-cmap)# policy-map tcp_bypass_policy
FW_Private(config-pmap)# class tcp_bypass
This then enables the TCP State Bypass.
FW_Private(config-pmap-c)# set connection advanced-options tcp-state-bypass
And apply to the interface.
FW_Private(config-pmap-c)# service-policy tcp_bypass_policy inside
To verify this is working on the private firewall at Site A do a “sh conn”, this displays connections that use TCP state bypass includes the flag “b.”
TCP inside 192.168.200.247:38140 inside 192.168.201.4:1075, idle 0:24:29, bytes 1836, flags b
TCP inside 192.168.200.247:57768 inside 192.168.201.4:135, idle 0:24:30, bytes 590, flags b
TCP inside 192.168.200.247:57767 inside 192.168.201.4:135, idle 0:24:30, bytes 96, flags b
TCP inside 192.168.200.247:38135 inside 192.168.201.4:1075, idle 0:24:31, bytes 1996, flags b
I also upgraded my Visio shapes to real Cisco ones, i have to say they are really great!!!!
They can be download here from Cisco.