Category: Security

Annoying Cisco ASA/ASDM Bugs–Part 2

You might get an argument from Cisco that this one is a bug, but it sure is annoying:

On an ASA you can apply firewall rules in two places (in ASA 8.3 and above). Rules can be applied on an interface or globally. When applied on an interface they can operate on traffic entering the interface (incoming rules) or on traffic egressing the interface (outgoing rules).

When using ASDM to create a new rule, you can right-click on a rule and select Insert After to add a new rule after the existing right-clicked rule. When you do that you are presented with a dialog box allowing you enter the required details:

AddRule1

The dialog box presented allows the common details to be entered with an option to expand the dialog to include further options if needed. Selecting More Option reveals the following additional fields:

AddRule2

The second additional option allows the traffic direction to be set. In this example, the direction is set to In – that is the rule is an Incoming rule.

Unfortunately, the Traffic Direction is set to ‘In’ even if you are inserting a rule after an outgoing rule. If you don’t notice this, and with the unexpanded dialog box why should you, the rule is added in the wrong place and will not work as expected.

Annoying Cisco ASA/ASDM Bugs–Part 1

We have a number of Cisco ASA devices and on one high availability pair we run OSPF. We do this to allow us to exchange routes with our MPLS provider. When we first set this up we made use of ASDM to display the external routes in the OSPF database – that is type 5 LSAs. This was useful to verify that the expected routes were being redistributed to us from the providers BGP.

ospflsa

Unfortunately the display only listed a few LSAs with the majority missing. After some time chasing our tails to try to resolve the problem, we used the CLI to display the OSPF database and were surprised, but happy, to see all the external routes we had expected.

After some investigating we discovered that the list displayed by ASDM was being truncated at the first LSA with an address that matched an ASA object name. We reported this problem to Cisco and they accepted it as a bug (CSCtq48552 if you are interested).

Well, over a year later it still has not been fixed. I guess the moral from the story is: if in doubt use the CLI and having a bug accepted by Cisco does not mean it will ever get fixed.

TCP State bypass on a Cisco ASA

We have a few remote sites that directly connect to the primary data centre with fibre optic cables. A backup connection is provided using MPLS.

StateLess

If the fibre optic cable is cut (thankfully a not too common event) traffic is rerouted through the managed MPLS network and enters the data centre through an ASA firewall. Because the ASA has no information in its state table about in-flight connections, the TCP packets are dropped, temporarily disrupting the operation of the remote site.

For this scenario and for others where asymmetric traffic flow can occur it is possible to configure the ASA to bypass TCP state checking. Note that the traffic still has to be allowed by access-lists.

Step 1 – Identify the traffic

The first step is to identify the traffic for which you want to bypass TCP state inspection. This is done by creating an access list. In this example traffic flowing between subnets 10.1.0.0/16 and 10.2.0.0/16 is identified:

access-list StatelessTraffic remark Outbound Traffic
access-list StatelessTraffic extended permit tcp 10.1.0.0 255.255.0.0 10.12.0.0 255.255.0.0 log disable
access-list StatelessTraffic remark Inbound Traffic
access-list StatelessTraffic extended permit tcp 10.2.0.0 255.255.0.0 10.1.0.0 255.255.0.0 log disable

Step 2 – Create a class map

A class map is created to match traffic using the access-list created in step 1

class-map tcp_bypass
  match access-list StatelessTraffic

Step 3 – Create the policy maps

A policy map defines the actions to be taken for traffic matching specified class maps. The policy map is applied to one or more interfaces or can be applied as a global policy. In this example two policy maps are used, one for the outgoing traffic (entering the Inside interface) and one for the incoming traffic (entering the MPLS interface):

policy-map Inside-policy
  class tcp_bypass 
    set connection timeout idle 0:15:00  
    set connection advanced-options tcp-state-bypass

policy-map MPLS-policy
  class tcp_bypass 
    set connection timeout idle 0:15:00  
    set connection advanced-options tcp-state-bypass

The two policies apply two settings for matching traffic. The first set statement modifies the idle timeout from the default (usually one hour) to 15 minutes (see below). The second set statement requests that state inspection of matching TCP traffic be bypassed.

Step 4 – Apply the policy maps to the interfaces

The last step is to apply the policy maps to the appropriate interfaces, in this case Inside and MPLS:

service-policy Inside-policy interface Inside
service-policy MPLS-policy interface MPLS

Idle Timeout Interval

The idle timeout interval is used to remove entries from the ASA state table for any connections which have been idle for a specified time, usually one hour. Normally TCP entries will be deleted when the ASA sees that the connection has been terminated (FIN or RST). However when TCP state bypass is enabled, this check is not done and all TCP sessions will remain in the state table until the idle timeout is reached. Reducing the idle timeout to 15 minutes will delete closed sessions earlier and reduce memory requirements.

Limitations

There are a number of limitations introduced when TCP bypass is enabled on an ASA. You should refer to the latest Cisco documentation to understand how they may impact your security before using this feature. In our case we only enable TCP bypass for traffic in  fairly rare and short lived cases and accept the limitations to provide a seamless failover to our remote users.