07-12-2010 01:57 AM - edited 03-11-2019 11:10 AM
Hello,
I have problem with communications through ASA to MS exchange server.
I'm testing new connection to the internet and ASA is a default-gateway for my VLAN (user VLAN).
It's a similar problem described in this doc 'http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a0080734db7.shtml'
The diferrence is that I'm connected to L3 switch but it doesn't matter in this situation.
All services (DNS, DHCP) in LAN works but I have problem with connection to exchange server only.
That mentioned services are VLAN's separated and on ASA is static routing added to this networks.
I have no ACL blocking traffic on inside interface.
Does anyone have a similar problem?
Solved! Go to Solution.
07-12-2010 05:49 AM
Hello,
Seems like you are referring to Assymmetric routing problem. In such a situation, all non-connection oriented traffic will work fine. But conneciton oriented traffic (TCP based) will suffer. You have couple of options. The easiest one is to make the L3 switch as the gateway for your exchange server. This way, the switch will make the routing decision for the exchange traffic and will deliver all local lan traffic to respective VLAN interfaces and internet traffic to the firewall. The other option, if you are running 8.2 code version, is to configure TCP state bypass. This will ask the firewall not to keep track of the TCP status of certain traffic. Here is a document that outlines the configuration requirements for TCP State bypass.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf
Hope this helps.
Regards,
NT
07-12-2010 05:49 AM
Hello,
Seems like you are referring to Assymmetric routing problem. In such a situation, all non-connection oriented traffic will work fine. But conneciton oriented traffic (TCP based) will suffer. You have couple of options. The easiest one is to make the L3 switch as the gateway for your exchange server. This way, the switch will make the routing decision for the exchange traffic and will deliver all local lan traffic to respective VLAN interfaces and internet traffic to the firewall. The other option, if you are running 8.2 code version, is to configure TCP state bypass. This will ask the firewall not to keep track of the TCP status of certain traffic. Here is a document that outlines the configuration requirements for TCP State bypass.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf
Hope this helps.
Regards,
NT
07-12-2010 07:46 AM
The TCP State bypass resolved problem.
Thanks for your help.
Regards Kamil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide