cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1474
Views
0
Helpful
1
Replies

TCP State Bypass

mmacdonald70
Level 1
Level 1

I have been looking into the new TCP state bypass feature in ASA 8.2.1 and I have a few questions that I can't seem to find information about in the docs:

1. Does TCP State Bypass remove all stateful inspection? ie would I need to allow response traffic in the ACL

access-list out permit tcp any any eq www

access-list out permit tcp any eq www any

access-list out permit udp any any eq domain

access-list out permit udp any eq domain any

2. The docs state that TCP state bypass can be enabled for only certain connections. Is application inspection disabled for all connections or just for the specific connections that were set up for TCP state bypass?

1 Accepted Solution

Accepted Solutions

bwalchez
Level 4
Level 4

It does not remove all statefull inspection. By default, all traffic that goes through the adaptive security appliance is inspected using the Adaptive Security Algorithm and is either allowed through or dropped based on the security policy. The adaptive security appliance maximizes the firewall performance by checking the state of each packet (is this a new connection or an established connection?) and assigning it to either the session management path (a new connection SYN packet), the fast path (an established connection), or the control plane path (advanced inspection).

Application inspection is not supported in TCP state bypass as Application inspection requires both inbound and outbound traffic to go through the same adaptive security appliance, so application inspection is not supported with TCP state bypass.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html#wp1087329

View solution in original post

1 Reply 1

bwalchez
Level 4
Level 4

It does not remove all statefull inspection. By default, all traffic that goes through the adaptive security appliance is inspected using the Adaptive Security Algorithm and is either allowed through or dropped based on the security policy. The adaptive security appliance maximizes the firewall performance by checking the state of each packet (is this a new connection or an established connection?) and assigning it to either the session management path (a new connection SYN packet), the fast path (an established connection), or the control plane path (advanced inspection).

Application inspection is not supported in TCP state bypass as Application inspection requires both inbound and outbound traffic to go through the same adaptive security appliance, so application inspection is not supported with TCP state bypass.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html#wp1087329