On the outward path traffic is directed through the VPN and straight in to the remote sites subent, however on the return path the traffic first hits the firewall before being re-routed back in to the subnet to the firewall (this was to avoid route statements on servers).
The problem with this is that the ASA denys TCP traffic on the return path as it did not see the original connection??
Deny TCP (no connection) Flags SYN ACK interface Inside
How do I either turn off this type of stateful inspection (not a great idea I know) or work around this?
How about using the "Nailed" option under the static configuration.
(Optional) Allows TCP sessions for asymmetrically routed traffic. This option allows inbound traffic to traverse the security appliance without a corresponding outbound connection to establish the state. This command is used in conjunction with the failover timeout command. The failover timeout command specifies the amount of time after a system boots or becomes active that the nailed sessions are accepted. If not configured, the connections cannot be reestablished.
Note Adding the nailed option to the static command causes TCP state tracking and sequence checking to be skipped for the connection. Using the asr-group command to configure asymmetric routing support is more secure than using the static command with the nailed option and is the recommended method for configuring asymmetric routing support.
We are excited to announce the opening of the ISE Beta community for the Cisco Identity Services Engine (ISE) 2.5 Beta for everyone that is a member of the Cisco Customer Connection Program (CCP)! The ISE 2.5 Beta is scheduled to run from Se...
ISE 2.2 Patch 10 has been released at ISE 2.2.0 Software Download since 2018-Sep-18, with the filename ise-patchbundle-18.104.22.1680-Patch10-18091119.SPA.x86_64.tar.gz.
For more info, please read Resolved Issues in Cisco ISE Version 22.214.171.1240—Cumulative ...
ISE 2.3 Patch 5 has been released at ISE 2.3.0 Software Download since 2018-Sep-17, with the filename ise-patchbundle-126.96.36.1998-Patch5-18082702.SPA.x86_64.tar.gz.
For more info, please read Resolved Caveats in Cisco ISE Version 188.8.131.528—Cumulative P...
I recently ran into an issue on ISE 2.3 Patch 5 when trying to modify a Hotspot Guest Portal that had been created in the ISE Portal Builder.
The support people with the ISEPB team gave me the answer, so I thought I'd save someone a...