Configuring TCP State Bypass

Similar documents
Connection Settings. What Are Connection Settings? management connections that go to the ASA.

Connection Settings. What Are Connection Settings? management connections that go to the ASA.

Information About NAT

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Configuring Service Policy Rules on Firewall Devices

KillTest. 半年免费更新服务

Troubleshooting the Security Appliance

Access Rules. Controlling Network Access

Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

Exam Actual. Higher Quality. Better Service! QUESTION & ANSWER

Troubleshooting. Testing Your Configuration CHAPTER

Applying Application Layer Protocol Inspection

Introduction to Cisco ASA Firewall Services

CISCO EXAM QUESTIONS & ANSWERS

Configuring Cisco Mobility Advantage

Managing Services Modules

tcp-map through type echo Commands

FTD: How to enable TCP State Bypass Configuration using FlexConfig Policy

Configuring the AIP SSM

Configuring the Botnet Traffic Filter

PrepKing. PrepKing

CCNA Course Access Control Lists

Configuring Static and Default Routes

Configuring Static and Default Routes

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

NAT Examples and Reference

NAT Examples and Reference

Configuring Inspection of Database and Directory Protocols

Configuring the Botnet Traffic Filter

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Configuring Interfaces (Transparent Mode)

CertifyMe. CertifyMe

Configuring Logging for Access Lists

Transparent or Routed Firewall Mode

ASA/PIX Security Appliance

PIX/ASA : Port Redirection(Forwarding) with nat, global, static and access list Commands

Using Modular Policy Framework

ASA with CX/FirePower Module and CWS Connector Configuration Example

Introduction to the ASA

Configuring Logging for Access Lists

Web server Access Control Server

v Number: Passing Score: 800 Time Limit: 120 min File Version: 12.39

Completing Interface Configuration (Transparent Mode)

ASA 8.X and later: Add or Modify an Access List through the ASDM GUI Configuration Example

Firewall Mode Overview

Adding an IPv6 Access List

Exam Name: Implementing Cisco Edge Network Security Solutions

Transparent or Routed Firewall Mode

Configuring Special Actions for Application Inspections (Inspection Policy Map)

Permitting PPTP Connections Through the PIX/ASA

Cisco CCNP Security Exam

CISCO EXAM QUESTIONS & ANSWERS

Firewall Core for CCIE Candidates By Rafael Leiva-Ochoa

Enabling ALGs and AICs in Zone-Based Policy Firewalls

Cisco CCIE Security Written.

Exam : Title : Securing Networks with PIX and ASA. Ver :

Enabling ALGs and AICs in Zone-Based Policy Firewalls

Configuring Special Actions for Application Inspections (Inspection Policy Map)

Configuring DHCP, DDNS, and WCCP Services

Threat Detection. Detecting Threats. The following topics describe how to configure threat detection statistics and scanning threat detection.

CSC Network Security

Nested Class Map Support for Zone-Based Policy Firewall

Zone-Based Policy Firewall High Availability

Identity Firewall. About the Identity Firewall. This chapter describes how to configure the ASA for the Identity Firewall.

ASA Access Control. Section 3

ASA 7.x/PIX 6.x and Above: Open/Block the Ports Configuration Example

Configuring Firewall TCP SYN Cookie

About This Guide. Document Objectives. Audience

Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

Recommended Network Configurations

CCNA Discovery 3 Chapter 8 Reading Organizer

PrepKing. PrepKing

Configuring Cisco Adaptive Security Appliance for SIP Federation

Object Groups for ACLs

Sun RPC ALG Support for Firewalls and NAT

Sun RPC ALG Support for Firewalls and NAT

Multihoming with BGP and NAT

Introduction to Firewall Services

Migration Best Practices for ASA 8.3/8.4

Fundamentals of Network Security v1.1 Scope and Sequence

Information About NAT

Firewall Stateful Inspection of ICMP

Configuration Examples

upgrade-mp through xlate-bypass Commands

Configuring Logging. Information About Logging CHAPTER

Firewalls, Tunnels, and Network Intrusion Detection

Sample Configurations

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

Unit 4: Firewalls (I)

Deploying and Troubleshooting Network Address Translation

Information About Routing

Static and Default Routes

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Testing and Troubleshooting

SecBlade Firewall Cards Attack Protection Configuration Example

Identity Firewall. About the Identity Firewall

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

Configuring Inspection for Voice and Video Protocols

ASACAMP - ASA Lab Camp (5316)

Transcription:

CHAPTER 51 This chapter describes how to configure TCP state bypass, which lets outbound and inbound flows go through separate ASAs. This chapter includes the following sections: Information About TCP State Bypass, page 51-1 Licensing Requirements for TCP State Bypass, page 51-2 Guidelines and Limitations, page 51-2 Default Settings, page 51-3, page 51-3 Monitoring TCP State Bypass, page 51-4 Configuration Examples for TCP State Bypass, page 51-4 Feature History for TCP State Bypass, page 51-5 Information About TCP State Bypass By default, all traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and is either allowed through or dropped based on the security policy. The ASA maximizes the firewall performance by checking the state of each packet (is this a new connection or an established connection?) and assigning it to either the session management path (a new connection SYN packet), the fast path (an established connection), or the control plane path (advanced inspection). See the Stateful Inspection Overview section on page 1-13 for more detailed information about the stateful firewall. TCP packets that match existing connections in the fast path can pass through the ASA without rechecking every aspect of the security policy. This feature maximizes performance. However, the method of establishing the session in the fast path using the SYN packet, and the checks that occur in the fast path (such as TCP sequence number), can stand in the way of asymmetrical routing solutions: both the outbound and inbound flow of a connection must pass through the same ASA. For example, a new connection goes to ASA 1. The SYN packet goes through the session management path, and an entry for the connection is added to the fast path table. If subsequent packets of this connection go through ASA 1, then the packets will match the entry in the fast path, and are passed through. But if subsequent packets go to ASA 2, where there was not a SYN packet that went through 51-1

Licensing Requirements for TCP State Bypass Chapter 51 the session management path, then there is no entry in the fast path for the connection, and the packets are dropped. Figure 51-1 shows an asymmetric routing example where the outbound traffic goes through a different ASA than the inbound traffic: Figure 51-1 Asymmetric Routing ISP A ISP B Security appliance 1 Security appliance 2 Outbound?Traffic Return?Traffic Inside network 251155 If you have asymmetric routing configured on upstream routers, and traffic alternates between two ASAs, then you can configure TCP state bypass for specific traffic. TCP state bypass alters the way sessions are established in the fast path and disables the fast path checks. This feature treats TCP traffic much as it treats a UDP connection: when a non-syn packet matching the specified networks enters the ASA, and there is not an fast path entry, then the packet goes through the session management path to establish the connection in the fast path. Once in the fast path, the traffic bypasses the fast path checks. Licensing Requirements for TCP State Bypass Model All models License Requirement Base License. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent mode. 51-2

Chapter 51 Default Settings Failover Guidelines Failover is supported. Unsupported Features The following features are not supported when you use TCP state bypass: Application inspection Application inspection requires both inbound and outbound traffic to go through the same ASA, so application inspection is not supported with TCP state bypass. AAA authenticated sessions When a user authenticates with one ASA, traffic returning via the other ASA will be denied because the user did not authenticate with that ASA. TCP Intercept, maximum embryonic connection limit, TCP sequence number randomization The ASA does not keep track of the state of the connection, so these features are not applied. TCP normalization The TCP normalizer is disabled. SSM and SSC functionality You cannot use TCP state bypass and any application running on an SSM or SSC, such as IPS or CSC. NAT Guidelines Because the translation session is established separately for each ASA, be sure to configure static NAT on both ASAs for TCP state bypass traffic; if you use dynamic NAT, the address chosen for the session on ASA 1 will differ from the address chosen for the session on ASA 2. Default Settings TCP state bypass is disabled by default. This section describes how to configure TCP state bypass. Step 1 Step 2 Step 3 Command class-map name hostname(config)# class-map bypass_traffic match parameter hostname(config-cmap)# match access-list bypass policy-map name hostname(config)# policy-map tcp_bypass_policy Purpose Creates a class map to identify the traffic for which you want to disable stateful firewall inspection. Specifies the traffic in the class map. See the Identifying Traffic (Layer 3/4 Class Map) section on page 9-13 for more information. Adds or edits a policy map that sets the actions to take with the class map traffic. 51-3

Monitoring TCP State Bypass Chapter 51 Step 4 Step 5 Command class name hostname(config-pmap)# class bypass_traffic set connection advanced-options tcp-state-bypass Purpose Identifies the class map you created in Step 1 Enables TCP state bypass. hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass Step 6 service-policy policymap_name {global interface interface_name} hostname(config)# service-policy tcp_bypass_policy outside Activates the policy map on one or more interfaces. global applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Monitoring TCP State Bypass To monitor TCP state bypass, perform one of the following tasks: Command show conn Purpose If you use the show conn command, the display for connections that use TCP state bypass includes the flag b. Configuration Examples for TCP State Bypass The following is a sample configuration for TCP state bypass: hostname(config)# access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.224 any hostname(config)# class-map tcp_bypass hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall" hostname(config-cmap)# match access-list tcp_bypass hostname(config-cmap)# policy-map tcp_bypass_policy hostname(config-pmap)# class tcp_bypass hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass hostname(config-pmap-c)# service-policy tcp_bypass_policy outside hostname(config-pmap-c)# static (inside,outside) 209.165.200.224 10.1.1.0 netmask 255.255.255.224 51-4

Chapter 51 Feature History for TCP State Bypass Feature History for TCP State Bypass Table 51-1 lists the release history for this feature. Table 51-1 Feature History for TCP State Bypass Feature Name Releases Feature Information TCP state bypass 8.2(1) This feature was introduced. The following command was introduced: set connection advanced-options tcp-state-bypass. 51-5

Feature History for TCP State Bypass Chapter 51 51-6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback