Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1497
Views
0
Helpful
1
Replies

TCP State Bypass

Go to solution
mmacdonald70
Level 1
Level 1

‎08-09-2009 05:59 AM - edited ‎03-09-2019 10:30 PM

I have been looking into the new TCP state bypass feature in ASA 8.2.1 and I have a few questions that I can't seem to find information about in the docs:

1. Does TCP State Bypass remove all stateful inspection? ie would I need to allow response traffic in the ACL

access-list out permit tcp any any eq www

access-list out permit tcp any eq www any

access-list out permit udp any any eq domain

access-list out permit udp any eq domain any

2. The docs state that TCP state bypass can be enabled for only certain connections. Is application inspection disabled for all connections or just for the specific connections that were set up for TCP state bypass?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bwalchez
Level 4
Level 4

‎08-14-2009 12:59 PM

It does not remove all statefull inspection. By default, all traffic that goes through the adaptive security appliance is inspected using the Adaptive Security Algorithm and is either allowed through or dropped based on the security policy. The adaptive security appliance maximizes the firewall performance by checking the state of each packet (is this a new connection or an established connection?) and assigning it to either the session management path (a new connection SYN packet), the fast path (an established connection), or the control plane path (advanced inspection).

Application inspection is not supported in TCP state bypass as Application inspection requires both inbound and outbound traffic to go through the same adaptive security appliance, so application inspection is not supported with TCP state bypass.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html#wp1087329

View solution in original post

0 Helpful
1 Reply 1

Go to solution
bwalchez
Level 4
Level 4

‎08-14-2009 12:59 PM

It does not remove all statefull inspection. By default, all traffic that goes through the adaptive security appliance is inspected using the Adaptive Security Algorithm and is either allowed through or dropped based on the security policy. The adaptive security appliance maximizes the firewall performance by checking the state of each packet (is this a new connection or an established connection?) and assigning it to either the session management path (a new connection SYN packet), the fast path (an established connection), or the control plane path (advanced inspection).

Application inspection is not supported in TCP state bypass as Application inspection requires both inbound and outbound traffic to go through the same adaptive security appliance, so application inspection is not supported with TCP state bypass.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html#wp1087329

0 Helpful
Customers Also Viewed These Support Documents