Version 8.0(4). I’ve never configured either one of those. Any pointers?

Robert

Can I have a diagram of your network with the internal ip address of both devices ( the ones are trying to communicate on the same interface and each default gateway)

Regards,

Not a problem. Attached is a diagram I threw together. Basically, laptop on wireless is 192.168.3.100 is trying to access anything on VLAN2. I can't ping or do anything, but can out to the internet and anything else on the network no problem, to include the 192.168.1.0 network. It's almost like 192.168.2.0 and 3.0 aren't allowed to talk to each other. In the diagram, the server represents a Cisco Call Manager, 192.168.2.5.

Hello Robert,

So problem is with the communication from 192.168.2.0 and 3.0!!

Here is the thing!!

When a packet from the wireless local network host  tries to go to 192.168.2.x the packet will go to the wireless router and then as he is on the same network he will send it  to the host(Syn)

The host will send the (Syn Ack) to thedefautl gateway =  ASA, the ASA will say  wait a minute a SYN ACK but where is the SYN, and Drop the packet the session does not get established.

So in order to allow this communication to be biderectional lets do a tcp state bypass:

access-list test permit tcp 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

class-map tcp_bypass

match access-list test

policy-map global_policy

class tcp_bypass

set connection advanced-option tcp-state-bypass

Do rate helpful posts

Julio

Julio,

I’m almost there. I figured out I had to manually create the TCP Map “tcp-state-bypass”. However, even with no options selected (I am doing this in ASDM), traffic still won’t go through. I’ve messed with several settings in the tcp map, but no luck.

Robert

Hello Robert,

Is there a way you could do it via CLI, you just will need to copy paste the information I have provided you....

Regards,

Julio

That’s what I tried first. I got stuck at the tcp-state-bypass command. It said no TCP map exists. I did some digging on Cisco. I should have that option in ASDM under a new TCP MAP as well under the Advanced section. For whatever reason, it doesn’t exist. Just to make sure we are on the same page, I am using a PIX 515E running IOS 8.0(4) with ASDM 6.1.5. According to all of the documentation, the bypass command should work, but it isn’t. Any ideas?

Robert

Hello Robert,

I know what you mean! but the pix should take the command, on the TCP map options we do not configure the TCP state bypass.

Please confirm if you are doing it like this

policy-map global_policy

class test

  set connection advanced-options tcp-state-bypass

Regards,

Julio

Julio,

Even used the tab button to make sure I am putting the commands in correctly. But, as soon as I press enter on that statement I get “ERROR: Can’t find map tcp-state-bypass”

Robert

Hello Robert,

After doing a little of research I got the answer of why this is not possible, TCP state-bypass is a feature available until 8.2....

Let me do a little bit of research on this.

Julio

OK, that would make sense why all of the documentation online references an ASA, not a PIX. Let me know what you find. Thanks Julio!

Robert

Hi Robert,

Just to add some background to the thread, this document explains why this problem occurs and suggests a few mitigation techniques that you might find useful:

https://supportforums.cisco.com/docs/DOC-14491

-Mike

Hey Mike. Thanks for the link. Unfortunately, if I am reading the document right, it only applies to NAT statements. I have a router in front of this firewall so I'm not using NAT at the firewall level. I tried to apply the command to the only two NAT statements I have (listed below) and it won't let me because of the 0 in the statement.

nat (inside) 0 access-list inside_nat0_outbound

nat (VLAN2) 0 access-list VLAN2_nat0_outbound

If I understand these statements correctly, it simply means DO NOT NAT traffic going out from these interfaces.