Solved: Re: Cisco ASA return Traffic on different interface

thundercisco · ‎11-26-2010

Hi guys,

During my configuration of a network i found that if return traffic is comes on different interface , ASA block it.

e.g, lets say my ping originated from inside server on inside interface(Security level 100), This packet is router to sub interface .1, and server to which echo was sent reply back. but due to internal routing echo-reply comes back on subinterface .2. Although traffic coming back was allowed but still ASA didn't allow this kind of traffic. So to fix this i fixed internal routing and suddenly everything seems to be working.

No my question is : Is this a way we can allow such config, for now i had control over customer routing so i could fix this issue, But in future if such situation occurs what to do

Thnx in advance

Kureli Sankar · ‎11-26-2010

Although what you did - fixing routing is the right way to fix it, this kind of asymmetry can be allowed.

With ASA 8.2.1 and above you can configure tcp state-bypass:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242

The following is an example configuration for TCP state bypass:

hostname(config)# access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.224 any

hostname(config)# class-map tcp_bypass
hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"
hostname(config-cmap)# match access-list tcp_bypass
hostname(config-cmap)# policy-map tcp_bypass_policy
hostname(config-pmap)# class tcp_bypass
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass
hostname(config-pmap-c)# service-policy tcp_bypass_policy outside
hostname(config-pmap-c)# static (inside,outside) 209.165.200.224 10.1.1.0 netmask

-KS

View solution in original post

Kureli Sankar · ‎11-26-2010