Riverbed Steelhead through Cisco ASA
Introduction
Riverbed Steelhead as WAN accelerator is deployed in WAN environment when traffic between WAN network (i.e. MPLS, Frame Relay) need to be optimized, hence creating so-called “WAN acceleration”. With “standard” WAN network consists of WAN routers and LAN switches, typically the Riverbed Steelhead is in place inline between the WAN routers and LAN switches. The f9llowing is an illustration:
Site 1 WAN Site 2 LAN 1 -- SH1 -- WAN 1 Router -- MPLS/Frame Relay -- WAN 2 Router -- SH2 -- LAN 2
In some cases, this WAN network consist of site-to-site IPSec VPN tunnel where ASA/PIX Firewall is used as the IPSec VPN termination. Instead of between routers and switches, the Riverbed Steelhead is in place between the ASA/PIX Firewall and the LAN switches in case of the site-to-site IPSec VPN tunnel with ASA/PIX Firewall as the IPSec VPN termination. Following is an illustration.
Site 1 Internet Site 2 LAN 1-- SH1 -- ASA/PIX 1 == IPSec VPN tunnel == ASA/PIX 2 -- SH2 -- LAN 2
Riverbed Steelhead Mechanism
Riverbed Steelhead optimizes TCP SYN and SYN-ACK transaction between sites in order to achieve the so-called WAN optimization. By default, TCP option 76 is only carried in the SYN and SYN-ACK packets of each TCP connection. This is used for autodiscovery.
In addition, Riverbed Steelhead uses TCP option 78 that is carried in every TCP segment of a connection. This is necessary to allow the Steelheads distinguish full transpareny packets.
Note that the above 76 and 78 option numbers are the default values, and that they can be changed through the Steelhead configuration. Check out the following official Riverbed links for more info (PDF file).
Riverbed Steelhead Technical Overview
Riverbed Steelhead Guide
Sample Configuration
Since ASA/PIX Firewall by default is a security device, there must be specific configuration in place to permit TCP option 76 and TCP option 78 as that is used by Riverbed Steelhead to be operational, should the Steelhead is in place between ASA/PIX Firewall and LAN switches.
Following is sample configuration using ASA/PIX Firewall version 7.0 or above:
access-list Riverbed_TCP_Option_76 extended permit tcp any any log
access-list Riverbed_TCP_Option_78 extended permit tcp any any log
tcp-map Riverbed_TCP_Option_76_Tmap
tcp-options range 76 76 allow
tcp-map Riverbed_TCP_Option_78_Tmap
tcp-options range 78 78 allow
class-map Riverbed_TCP_Option_76_Cmap
match access-list Riverbed_TCP_Option_76
class-map Riverbed_TCP_Option_78_Cmap
match access-list Riverbed_TCP_Option_78
policy-map global_policy
class Riverbed_TCP_Option_76_Cmap
set connection advanced-options Riverbed_TCP_Option_76_Tmap
class Riverbed_TCP_Option_78_Cmap
set connection advanced-options Riverbed_TCP_Option_78_Tmap
In many organizations, the Riverbed Steelhead is configured to use TCP option 76 for both the autodiscovery and the full transpareny packets. When this is the case, then following is the sample configuration using ASA/PIX Firewall version 7.0 or above:
access-list Riverbed_TCP_Option_76 extended permit tcp any any log
tcp-map Riverbed_TCP_Option_76_Tmap
tcp-options range 76 76 allow
class-map Riverbed_TCP_Option_76_Cmap
match access-list Riverbed_TCP_Option_76
policy-map global_policy
class Riverbed_TCP_Option_76_Cmap
set connection advanced-options Riverbed_TCP_Option_76_Tmap
UPDATE:
Per James’s comment below:
Just dealt with this on an ASA 8.0.x, and we needed to add
service-policy policyname global
