[119740] in North American Network Operators' Group
Re: Finding asymmetric path
daemon@ATHENA.MIT.EDU (Arie Vayner)
Sun Nov 29 03:18:33 2009
In-Reply-To: <80e7195b0911281226yd219664haf5245812fa97b62@mail.gmail.com>
From: Arie Vayner <arievayner@gmail.com>
Date: Sun, 29 Nov 2009 10:17:18 +0200
To: Duane Waddle <duane.waddle@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Actually, this can be achieved easily using reflexive ACLs on any Cisco
router, so no real need to change the topology or add new devices in the
path:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#reflexacl
Arie
On Sat, Nov 28, 2009 at 10:26 PM, Duane Waddle <duane.waddle@gmail.com>wrote:
> On Sat, Nov 28, 2009 at 1:41 PM, Brielle Bruns <bruns@2mbit.com> wrote:
>
> > My partner Tammy says a PIX could probably accomplish the same task (we
> have some here for the corp lan stuff, including spares).
>
> Yes, a PIX/ASA would stop this cold. The TCP state tracking would not
> allow traffic to pass unless the whole 3-way handshake was observed by
> the box. Only recently did Cisco add features to make tracking the
> TCP connection state optional.
> (
> http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf
> )
> The larger ASA-5580 machines can be virtualized into dozens (or more)
> security contexts as needed. I imagine it would take some effort to
> figure out how to cleanly integrate such a configuration into a POP.
>
> --D
>
>
