{"id":959,"date":"2010-07-20T13:17:51","date_gmt":"2010-07-20T12:17:51","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=959"},"modified":"2012-02-03T07:18:11","modified_gmt":"2012-02-03T07:18:11","slug":"riverbed-steelhead-through-cisco-asa","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=959","title":{"rendered":"Riverbed Steelhead through Cisco ASA"},"content":{"rendered":"

Introduction<\/strong><\/p>\n

Riverbed Steelhead as WAN accelerator is deployed in WAN environment when traffic between WAN network (i.e. MPLS, Frame Relay) need to be optimized, hence creating so-called “WAN acceleration”. With “standard” WAN network consists of WAN routers and LAN switches, typically the Riverbed Steelhead is in place inline between the WAN routers and LAN switches.\u00a0 The f9llowing is an illustration:<\/p>\n

Site 1                              WAN             Site 2\r\nLAN 1 -- SH1 -- WAN 1 Router -- MPLS\/Frame Relay -- WAN 2 Router -- SH2 -- LAN 2<\/pre>\n
In  some cases, this WAN network consist of site-to-site IPSec VPN tunnel  where ASA\/PIX Firewall is used as the IPSec VPN termination. Instead of  between routers and switches, the Riverbed Steelhead is in place between  the ASA\/PIX Firewall and the LAN switches in case of the site-to-site  IPSec VPN tunnel with ASA\/PIX Firewall as the IPSec VPN termination.  Following is an illustration.<\/p>\n
Site 1                        Internet          Site 2\r\nLAN 1-- SH1 -- ASA\/PIX 1 == IPSec VPN tunnel == ASA\/PIX 2 --  SH2 -- LAN 2<\/pre>\n
Riverbed  Steelhead Mechanism<\/strong><\/p>\n
Riverbed Steelhead optimizes TCP SYN and  SYN-ACK transaction between sites in order to achieve the so-called WAN  optimization. By default, TCP option 76 is only carried in the SYN and  SYN-ACK packets of each TCP connection. This is used for autodiscovery.<\/p>\n
In  addition, Riverbed Steelhead uses TCP option 78 that is carried in  every TCP segment of a connection. This is necessary to allow the  Steelheads distinguish full transpareny packets.<\/p>\n
Note that the  above 76 and 78 option numbers are the default values, and that they can  be changed through the Steelhead configuration. Check out the following  official Riverbed links for more info (PDF file).<\/p>\n
Riverbed Steelhead Technical Overview<\/a>
\nRiverbed Steelhead Guide<\/a><\/p>\n
Sample  Configuration<\/strong><\/p>\n
Since ASA\/PIX Firewall by default is a security  device, there must be specific configuration in place to permit TCP  option 76 and TCP option 78 as that is used by Riverbed Steelhead to be  operational, should the Steelhead is in place between ASA\/PIX Firewall  and LAN switches.<\/p>\n
Following is sample configuration using ASA\/PIX  Firewall version 7.0 or above:<\/p>\n
access-list Riverbed_TCP_Option_76 extended permit tcp any any log
\naccess-list Riverbed_TCP_Option_78 extended permit tcp any any log
\ntcp-map Riverbed_TCP_Option_76_Tmap
\ntcp-options range 76 76 allow
\ntcp-map Riverbed_TCP_Option_78_Tmap
\ntcp-options range 78 78 allow
\nclass-map Riverbed_TCP_Option_76_Cmap
\nmatch access-list Riverbed_TCP_Option_76
\nclass-map Riverbed_TCP_Option_78_Cmap
\nmatch access-list Riverbed_TCP_Option_78
\npolicy-map global_policy
\nclass Riverbed_TCP_Option_76_Cmap
\nset connection advanced-options Riverbed_TCP_Option_76_Tmap
\nclass Riverbed_TCP_Option_78_Cmap
\nset connection advanced-options Riverbed_TCP_Option_78_Tmap<\/p><\/blockquote>\n
In many organizations, the Riverbed Steelhead is configured to use TCP  option 76 for both the autodiscovery and the full transpareny packets.  When this is the case, then following is the sample configuration using  ASA\/PIX Firewall version 7.0 or above:<\/p>\n
access-list Riverbed_TCP_Option_76 extended permit tcp any any log
\ntcp-map Riverbed_TCP_Option_76_Tmap
\ntcp-options range 76 76 allow
\nclass-map Riverbed_TCP_Option_76_Cmap
\nmatch access-list Riverbed_TCP_Option_76
\npolicy-map global_policy
\nclass Riverbed_TCP_Option_76_Cmap
\nset connection advanced-options Riverbed_TCP_Option_76_Tmap<\/p><\/blockquote>\n
UPDATE:<\/strong><\/p>\n
Per James’s comment below:<\/p>\n
Just dealt with this on an ASA 8.0.x<\/strong><\/span>, and we needed to add<\/p>\n
service-policy policyname global<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"
Introduction Riverbed Steelhead as WAN accelerator is deployed in WAN environment when traffic between WAN network (i.e. MPLS, Frame Relay) need to be optimized, hence creating so-called “WAN acceleration”. With “standard” WAN network consists of WAN routers and LAN switches, typically the Riverbed Steelhead is in place inline between the WAN routers and LAN switches.\u00a0 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[83],"tags":[35],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/959"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=959"}],"version-history":[{"count":8,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/959\/revisions"}],"predecessor-version":[{"id":961,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/959\/revisions\/961"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=959"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}