Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
0
Helpful
0
Replies

Disabling TCP State Inspaction and TCP Maps

Network Diver
Level 3
Level 3

‎04-12-2016 11:07 PM - edited ‎03-12-2019 12:36 AM

Hi

On the Cisco ASA firewall I'd like to disable TCP state inspection for intranet traffic that goes through a site2site IPsec VPN tunnel. From my understanding this can be done like that:

access-list tcp_bypass extended permit tcp object-group Intranet1 object-group Intranet2 

class-map tcp_bypass
 match access-list tcp_bypass

policy-map global_policy
 class tcp_bypass
  set connection advanced-options tcp-state-bypass

But I also need to allow TCP options 76-78 for Riverbed Steelhead autodiscovery which is done like that:

tcp-map riverbed
 tcp-options range 76 78 allow

policy-map global_policy
 class class-default
  set connection advanced-options riverbed

Unfortunately this doesn't seem to work. When the first class in the policy-map matches, the following classes are not processed. And trying to put both advanced-options in the same class, results in an error: "ERROR: This option cannot coexist with tcp-map option!"

So why is this not possible?

What other options are there for IPsec VPN connectivity that does not TCP state inspection? This causes problems with Riverbed SteelHead path selection functionality where it should be able to switch open TCP sessions from one VPN tunnel to another. 

Thanks in advance.

Best regards,

Bernd

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card