[119729] in North American Network Operators' Group
Re: Finding asymmetric path
daemon@ATHENA.MIT.EDU (Duane Waddle)
Sat Nov 28 15:27:04 2009
In-Reply-To: <775962905-1259437326-cardhu_decombobulator_blackberry.rim.net-1366739286-@bda407.bisx.prod.on.blackberry>
Date: Sat, 28 Nov 2009 14:26:07 -0600
From: Duane Waddle <duane.waddle@gmail.com>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sat, Nov 28, 2009 at 1:41 PM, Brielle Bruns <bruns@2mbit.com> wrote:
> My partner Tammy says a PIX could probably accomplish the same task (we have some here for the corp lan stuff, including spares).
Yes, a PIX/ASA would stop this cold. The TCP state tracking would not
allow traffic to pass unless the whole 3-way handshake was observed by
the box. Only recently did Cisco add features to make tracking the
TCP connection state optional.
(http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf)
The larger ASA-5580 machines can be virtualized into dozens (or more)
security contexts as needed. I imagine it would take some effort to
figure out how to cleanly integrate such a configuration into a POP.
--D
