Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1161
Views
0
Helpful
4
Replies

ASA TCP Bypass config not working

jpastore
Level 1
Level 1

‎03-23-2021 03:18 AM

Hello,

I have attempted to enable TCP State Bypass on my ASA 5540 on code 9.0(4)

 

I have the following config:

class-map tcp_bypass
description "TCP traffic that bypasses stateful firewall"
match access-list tcp_bypass
policy-map tcp_bypass_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
service-policy tcp_bypass_policy interface CableMPLSZEL

 

The 'CableMPLSZEL' interface is the ingress interface for the targeted traffic. I am seeing 'Deny TCP (no connection)' in the logs even after implementing this configuration.

 

Any help would be great. Thanks.

0 Helpful
4 Replies 4

Sheraz.Salim
VIP Alumni
VIP Alumni

‎03-23-2021 04:56 AM

what is your access-list look like "match access-list tcp_bypass"

 

could you show your access-list.  show access-list tcp_bypass

please do not forget to rate.
0 Helpful

jpastore
Level 1
Level 1

‎03-23-2021 09:10 AM

I had another thought. While testing, I was seeing the Deny TCP (no connection) logs. After using packet tracing to simulate 10.253.2.30 8080 > 10.2.227.30 55555 it said denied by implicit ACL. While I added an ACL for service policy and never added actual ACL on ingress interface. Would this possibly be the cause? I thought if that were the case I would see a more typical deny statement instead of 'no connection'

 

Also here is my ACL

access-list tcp_bypass extended permit tcp host 10.253.2.30 host 10.2.227.30
access-list tcp_bypass extended permit tcp host 10.253.2.30 host 10.15.227.30
access-list tcp_bypass extended permit tcp host 10.253.2.30 host 10.2.225.30
access-list tcp_bypass extended permit tcp host 10.253.2.30 host 10.15.225.30
access-list tcp_bypass extended permit tcp host 10.253.2.40 host 10.2.227.30
access-list tcp_bypass extended permit tcp host 10.253.2.40 host 10.15.227.30
access-list tcp_bypass extended permit tcp host 10.253.2.40 host 10.2.225.30
access-list tcp_bypass extended permit tcp host 10.253.2.40 host 10.15.225.30
access-list tcp_bypass extended permit tcp host 10.253.2.30 host 10.2.11.27
access-list tcp_bypass extended permit tcp host 10.253.2.30 host 10.2.11.183
access-list tcp_bypass extended permit tcp host 10.253.2.30 host 10.2.11.116
access-list tcp_bypass extended permit tcp host 10.253.2.40 host 10.2.11.27
access-list tcp_bypass extended permit tcp host 10.253.2.40 host 10.2.11.183
access-list tcp_bypass extended permit tcp host 10.253.2.40 host 10.2.11.116
access-list tcp_bypass extended permit tcp host 10.2.227.30 host 10.253.2.30
access-list tcp_bypass extended permit tcp host 10.15.227.30 host 10.253.2.30
access-list tcp_bypass extended permit tcp host 10.2.225.30 host 10.253.2.30
access-list tcp_bypass extended permit tcp host 10.15.225.30 host 10.253.2.30
access-list tcp_bypass extended permit tcp host 10.2.227.30 host 10.253.2.40
access-list tcp_bypass extended permit tcp host 10.15.227.30 host 10.253.2.40
access-list tcp_bypass extended permit tcp host 10.2.225.30 host 10.253.2.40
access-list tcp_bypass extended permit tcp host 10.15.225.30 host 10.253.2.40
access-list tcp_bypass extended permit tcp host 10.2.11.27 host 10.253.2.30
access-list tcp_bypass extended permit tcp host 10.2.11.183 host 10.253.2.30
access-list tcp_bypass extended permit tcp host 10.2.11.116 host 10.253.2.30
access-list tcp_bypass extended permit tcp host 10.2.11.27 host 10.253.2.40
access-list tcp_bypass extended permit tcp host 10.2.11.183 host 10.253.2.40
access-list tcp_bypass extended permit tcp host 10.2.11.116 host 10.253.2.40

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to jpastore

‎03-23-2021 01:29 PM - edited ‎03-23-2021 01:30 PM

After using packet tracing to simulate 10.253.2.30 8080 > 10.2.227.30 55555 it said denied by implicit ACL

- Is 10.252.2.30 security level is higer than 10.2.227.30? I guess in your case 10.253.2.30 has lower security level compare to 10.2.227.30 that is why you see the implicit ACL denied. you still need to define the ACL in order to low the traffic so the acl rule need to match in order to accept the traffic and once the traffic is accepted the tcp bypass rule will come in play.

please do not forget to rate.
0 Helpful

jpastore
Level 1
Level 1

‎03-24-2021 08:41 AM

The ingress security interface 'CableMPLSZEL' has a security level of 75 and the egress interface 'inside' has a security level of 100.

 

So you are thinking with an ACL on the interface CableMPLSZEL to allow this traffic in, this should resolve my issue? And Deny TCP (no connection) was normal to see there because of missing ACL?

 

I already have it in place, but must wait until a maintenance window in a couple weeks to be able to test. I will update the post then with results and hopefully resolution.

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card