[c-nsp] redirect nexthop on ASA 5510
Christian Zeng
christian at zengl.net
Wed Oct 24 10:53:49 EDT 2007
Hi,
* Moerman, Maarten <m.moerman at marktplaats.nl> wrote:
>Deny TCP (no connection) from 192.168.1.59/3389 to 192.168.2.92/3289
>flags SYN ACK on interface inside
You already solved one design issue by allowing samesec-traffic
intra-interface.
The problem is asymmetric traffic flow. The first packet hits the server
directly, the reply to this (SYN/ACK) is send from the server to the
firewall which has no clue about that (didnt see the first SYN).
One possible solution would be to create static routes on the servers
for the 192.168.2.x network, pointing to the gateway in that subnet, or
routing all traffic to the servers in that subnet via hostroutes to the
firewall.
You can also try to tamper with tcp maps and the established keyword in
ACLs, not sure if the firewall will allow tcp connections without a
known state to pass.
Christian
More information about the cisco-nsp
mailing list