Disabling TCP State Inspaction and TCP Maps

Network Diver — Tue, 12 Mar 2019 07:36:48 GMT

On the Cisco ASA firewall I'd like to disable TCP state inspection for intranet traffic that goes through a site2site IPsec VPN tunnel. From my understanding this can be done like that:

access-list tcp_bypass extended permit tcp object-group Intranet1 object-group Intranet2 

class-map tcp_bypass
 match access-list tcp_bypass

policy-map global_policy
 class tcp_bypass
  set connection advanced-options tcp-state-bypass

But I also need to allow TCP options 76-78 for Riverbed Steelhead autodiscovery which is done like that:

tcp-map riverbed
 tcp-options range 76 78 allow

policy-map global_policy
 class class-default
  set connection advanced-options riverbed

Unfortunately this doesn't seem to work. When the first class in the policy-map matches, the following classes are not processed. And trying to put both advanced-options in the same class, results in an error: "ERROR: This option cannot coexist with tcp-map option!"

So why is this not possible?

What other options are there for IPsec VPN connectivity that does not TCP state inspection? This causes problems with Riverbed SteelHead path selection functionality where it should be able to switch open TCP sessions from one VPN tunnel to another.

Thanks in advance.

Best regards,

Bernd

topic Disabling TCP State Inspaction and TCP Maps in Network Security

Disabling TCP State Inspaction and TCP Maps