TCP Bypass not working - Page 2

markus.bock · ‎10-10-2020

Hello,

I have a problem with asymetric routing for a host in our network. A connection comming from www to the host is going through a third party utm appliance to the host 10.10.10.99. The default gateway is a cisco asa 10.10.10.1. In the log of the asa i can see the message

Deny TCP (no connection) from 10.10.10.99/3389 to 80.122.157.55/34334 flags SYN ACK on interface NET_10.10.10.0_Inside

This shows me a problem with asymmetric routing. I cannot change the routing and access from www to the host, I would like to configure TYP Bypass for this host but I don't get it to work.

I have configured the following policy

access-list tcp_bypass extended permit tcp host 10.10.10.99 any
class-map tcp_bypass
match access-list tcp_bypass
policy-map tcp_bypass_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
service-policy tcp_bypass_policy interface NET_10.10.10.0_Inside

But when I try to access the host I still get the log entries from above.

Can anybody please help me to find the problem please?

MHM Cisco World · ‎10-14-2020

try this

1-config the mapped IP not real IP in ACL extended tcp_bypass.

2- remove any and config outside subnet of ASA.

try this solution I think this is solution for your issue.

Marius Gunnerud · ‎10-13-2020

Interesting. Have you confirmed that routing towards internet and NAT for 10.10.10.99 are in place on the ASA?

As Aref has mentioned, would be good to see a topology diagram with an explanation of expected traffic flow.

--
Please remember to select a correct answer and rate helpful posts