[c-nsp] What's the value of ASA/FWSM TCP state bypass?
Ryan West
rwest at zyedge.com
Tue Nov 10 16:54:28 EST 2009
Hi,
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Ge Moua
> Sent: Tuesday, November 10, 2009 4:42 PM
> To: Peter Rathlev
> Cc: cisco-nsp
> Subject: Re: [c-nsp] What's the value of ASA/FWSM TCP state bypass?
>
> I've always been leery of this feature; I've consider using it in the
> past to troubleshoot badly written apps that mucks up tcp 3-way
> handshakes/4-way teardowns; I can see this as a quick & dirty mechanism
> to bypass the stateful inspection engine without taking the firewall
> logically out of the data path; I'd be careful with using this feature
> without serious consideration of consequences; I also don't like the
> fact that it changes the default "stateful inspection" behavior.
>
> I'd also be interested to hear what other folks think about this..
>
I've used it when there is only a layer 2 switch at a branch office and a CE managed MPLS router is on the same segment. If the ASA is the default route in this scenario and traffic is sent to the MPLS router, the handshakes don't complete and the traffic is dropped. There are other ways around this, of course, but it's an option to allow the ASA to route on its inside interface before it examines the flow. Netscreens have no issue with this and Checkpoints just need to know about the internal network and they will route as well.
-ryan
More information about the cisco-nsp
mailing list