HI Mike good point, the result of the command I used to test this I find are reliable but that is exactly the point here, the return traffic should not be hiting the class map as there was not initiating traffic to create state in the FW. If the return traffic was in response to a connection that matched the class map based on match port then it would be matching the entry in the state table and use the same policy map that the initial traffic did.
Thanks Ben On Thu, Sep 13, 2012 at 2:35 PM, Mike Rojas <[email protected]> wrote: > Hey > > If there is a flow already started on the asa firewall the return packets > will hit whatever policy you have defined for the initial flow.... Thats > the idea of stateful firewall.. > > Im not quite sure how accurate is the show service policy flow in regards > to already established flows...but you can easily confirm that using > authentication over bgp across the firewall...you will only need to allow > one side and u know the other peer is also using tcp option 19...using the > port should be as good as using the acl... The acl will just narrow it > down... > > > http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml > > > Sent from my iPhone > > On Sep 12, 2012, at 10:25 PM, "Ben Shaw" <[email protected]> wrote: > > > Hi All > > > > having a look at the class-map command 'match port' it seems to me that > this port only matches the destination port of a UDP or TCP flow. As an > example, I configured a class map to match port 179 in order to configure > TCP parameters on the global policy to get BGP authentication working. > Below is the relevant configuration: > > > > tcp-map tmap1 > > tcp-options range 19 19 allow > > class-map BGP > > match port tcp eq bgp > > policy-map global_policy > > class BGP > > set connection random-sequence-number disable > > set connection advanced-options tmap1 > > > > When I test the functionality of this configuration with the "show > service-policy flow" command in either direction I get the following: > > > > Rack1ASA1# show service-policy flow tcp host 174.1.124.5 eq 50000 host > 174.1.127.5 eq 179 > > Global policy: > > Service-policy: global_policy > > Class-map: BGP > > Match: port tcp eq bgp > > Action: > > Input flow: set connection random-sequence-number disable > > set connection advanced-options tmap1 > > Class-map: class-default > > Match: any > > Action: > > Input flow: > > > > Rack1ASA1# show service-policy flow tcp host 174.1.127.5 eq 179 host > 174.1.124.5 eq 50000 > > Global policy: > > Service-policy: global_policy > > Class-map: class-default > > Match: any > > Action: > > Input flow: > > > > Rack1ASA1# show service-policy flow tcp host 174.1.127.5 eq 50000 host > 174.1.124.5 eq 179 > > Global policy: > > Service-policy: global_policy > > Class-map: BGP > > Match: port tcp eq bgp > > Action: > > Input flow: set connection random-sequence-number disable > > set connection advanced-options tmap1 > > Class-map: class-default > > Match: any > > Action: > > Input flow: > > > > Rack1ASA1# show service-policy flow tcp host 174.1.124.5 eq 179 host > 174.1.127.5 eq 50000 > > Global policy: > > Service-policy: global_policy > > Class-map: class-default > > Match: any > > Action: > > Input flow: > > > > As can be seen above, the BGP class map is matched regardless of which > side of the firewall the peering is initiated on but not for TCP response > packets (source port 179). As a side note - it would seem that considering > the BGP peering still forms with this configuration that allowing TCP > option 19 and disabling TCP randomization is only required for traffic from > the initiating peer (to destination port 179) and not required for TCP > response packets. > > > > But what about in other situations where it is important that both > directions of a flow are matched by the class map - initiating traffic to > the destination port defined in the class map and from the same port for > response traffic. In such a case, the 'match port' command is not suitable > as it will not match return traffic using the defined port as the source > port. It is required to use an ACL like below > > > > access-list BGP extended permit tcp any eq bgp any > > access-list BGP extended permit tcp any any eq bgp > > class-map BGP > > match access-list BGP > > > > As can be seen below, the flow is now matched in both directions: > > > > Rack1ASA1# show service-policy flow tcp host 174.1.124.5 eq 50000 host > 174.1.127.5 eq 179 > > Global policy: > > Service-policy: global_policy > > Class-map: BGP > > Match: access-list BGP > > Access rule: permit tcp any any eq bgp > > Action: > > Input flow: set connection random-sequence-number disable > > set connection advanced-options tmap1 > > Class-map: class-default > > Match: any > > Action: > > Input flow: > > > > Rack1ASA1# show service-policy flow tcp host 174.1.127.5 eq 179 host > 174.1.124.5 eq 50000 > > Global policy: > > Service-policy: global_policy > > Class-map: BGP > > Match: access-list BGP > > Access rule: permit tcp any eq bgp any > > Action: > > Input flow: set connection random-sequence-number disable > > set connection advanced-options tmap1 > > Class-map: class-default > > Match: any > > Action: > > Input flow: > > > > Rack1ASA1# show service-policy flow tcp host 174.1.127.5 eq 50000 host > 174.1.124.5 eq 179 > > Global policy: > > Service-policy: global_policy > > Class-map: BGP > > Match: access-list BGP > > Access rule: permit tcp any any eq bgp > > Action: > > Input flow: set connection random-sequence-number disable > > set connection advanced-options tmap1 > > Class-map: class-default > > Match: any > > Action: > > Input flow: > > > > Rack1ASA1# show service-policy flow tcp host 174.1.124.5 eq 179 host > 174.1.127.5 eq 50000 > > Global policy: > > Service-policy: global_policy > > Class-map: BGP > > Match: access-list BGP > > Access rule: permit tcp any eq bgp any > > Action: > > Input flow: set connection random-sequence-number disable > > set connection advanced-options tmap1 > > Class-map: class-default > > Match: any > > Action: > > Input flow: > > > > Anyway, this did start as a question to clarify my understanding but I > seemed to answer my own question and thought it may be worthwhile sharing > anyway. Of note is that if you need to perform some kind of advanced policy > on traffic in a TCP/UDP flow bidirectionally, the 'match port' command is > not suitable as it will only work in one direction, you will need something > like an ACL matching the port as both a source and destination port. > > > > Ben > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, > please visit www.ipexpert.com > > > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
