Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
1
Replies

Assymetric packet flow on FWSM context

Ruterford
Level 1
Level 1

‎12-28-2011 11:23 AM - edited ‎03-11-2019 03:07 PM

Hi All,

I am planning to implement following schema:

Outside---RouterA===FWSM context-------RouterB-----LAN

                                         |

                                         |

                                   RouterC

                                         |

                                      LAN

RouterA is acting as Internet gateway connected to ASA using two outside interfaces

FWSM context is placed in transparent firewall mode (two BVI groups for each inside/outside pair - RouterA-RouterC and RouterA-RouterB)

RouterB is connected to FWSM using single connection and serving inside LAN

RouterC is connected to FWSM using single connection and also serving the same inside LAN

RouterB and RouterC are in HSRP for LAN

The thing is that I will run EIGRP between RouterA and RouterB/RouterC, that is why the FWSM is placed in transparent firewall mode to bypass the Eigrp traffic between the routers. So, there is a possibility that TCP session will be established from outside from RouterA and destined to some host on the LAN, it could be forwarded via one interface (BVI Group1) on FWSM to RouterB, but host could reply via RouterC and traffic will be forwarded back thru another interface (BVI group2) on FWSM. My question is if FWSM has already pemitted this TCP session as allowed for inbound from outside (BVI Group 1) will it block replying same TCP traffic but coming  from RouterC(using BVI Group 2)?

Sorry if the question is too complicated, but I just need to know if I have a transaprent firewall with two BVi groups, each group contains it's own inside/outside, will the firewall permit assymetric replying from inside TCP flow via BVI Group 2  if it was allowed as inbound for  BVI Group1 from outside.

Thanks!

Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎01-06-2012 09:55 AM

Hello,

The FWSM will not allow asymmetrically routed traffic by default. You can allow this by enabling TCP state bypass, but this disables much of the security functionality that would normally be applied to that flow. You can read more about the feature and implications here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/protct_f.html#wp1075957

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card