https://community.cisco.com/t5/network-security/cisco-asa-return-traffic-on-different-interface/m-p/1524198#M579348 <HTML><HEAD></HEAD><BODY><P>Thnx a ton, You rock</P><P><SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/grin.gif"></SPAN></P></BODY></HTML> Sat, 27 Nov 2010 09:47:17 GMT thundercisco 2010-11-27T09:47:17Z https://community.cisco.com/t5/network-security/cisco-asa-return-traffic-on-different-interface/m-p/1524196#M579345 <P>Hi guys,</P><P>During my configuration of a network i found that if return traffic is comes on different interface , ASA block it.</P><P>e.g, lets say my ping originated from inside server on inside interface(Security level 100), This packet is router to sub interface .1, and server to which echo was sent reply back. but due to internal routing echo-reply comes back on subinterface .2. Although traffic coming back was allowed but still ASA didn't allow this kind of traffic. So to fix this i fixed internal routing and suddenly everything seems to be working.</P><P></P><P>No my question is : Is this a way we can allow such config, for now i had control over customer routing so i could fix this issue, But in future if such situation occurs what to do</P><P>Thnx in advance</P> Mon, 11 Mar 2019 19:15:05 GMT https://community.cisco.com/t5/network-security/cisco-asa-return-traffic-on-different-interface/m-p/1524196#M579345 thundercisco 2019-03-11T19:15:05Z https://community.cisco.com/t5/network-security/cisco-asa-return-traffic-on-different-interface/m-p/1524197#M579346 <HTML><HEAD></HEAD><BODY><P>Although what you did - fixing routing is the right way to fix it, this kind of asymmetry can be allowed.</P><P></P><P>With ASA 8.2.1 and above you can configure tcp state-bypass:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242">http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242</A></P><P></P><P>The following is an example configuration for TCP state bypass:</P><P></P><P>hostname(config)# access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.224 any</P><P></P><P>hostname(config)# class-map tcp_bypass<BR />hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"<BR />hostname(config-cmap)# match access-list tcp_bypass<BR />hostname(config-cmap)# policy-map tcp_bypass_policy<BR />hostname(config-pmap)# class tcp_bypass<BR />hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass<BR />hostname(config-pmap-c)# service-policy tcp_bypass_policy outside<BR />hostname(config-pmap-c)# static (inside,outside) 209.165.200.224 10.1.1.0 netmask</P><P></P><P>-KS</P></BODY></HTML> Fri, 26 Nov 2010 19:46:09 GMT https://community.cisco.com/t5/network-security/cisco-asa-return-traffic-on-different-interface/m-p/1524197#M579346 Kureli Sankar 2010-11-26T19:46:09Z https://community.cisco.com/t5/network-security/cisco-asa-return-traffic-on-different-interface/m-p/1524198#M579348 <HTML><HEAD></HEAD><BODY><P>Thnx a ton, You rock</P><P><SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/grin.gif"></SPAN></P></BODY></HTML> Sat, 27 Nov 2010 09:47:17 GMT https://community.cisco.com/t5/network-security/cisco-asa-return-traffic-on-different-interface/m-p/1524198#M579348 thundercisco 2010-11-27T09:47:17Z