04-19-2016 11:01 AM - edited 03-05-2019 03:50 AM
Hi, i have a Cisco ASA 1 in Data Center 1 and Cisco ASA 2 in Data center 2.
i am asked to do BGP with client with load balancing and there is chance that traffic going out to client via ASA 1 will come back to me from other ASA 2.
Does Cisco ASA support this ?
cant seem to find such design on internet.
04-19-2016 11:21 AM
04-20-2016 10:10 AM
you can do that because of the 3 way handshake if you disable the 3 way handshake inspection thing called
TCP - reject non-SYN first packet: yes
@palo alto my friends
if you not disable this 3 way handshake inspection your initial setup flow will be broken down because of NOT receiving a handshake on the initial setup firewall.
Kind Regards
Jan Meylaers
04-20-2016 08:23 AM
normally you can not do that, because during the 3-way handshake the ASA I is not going to receive the ACK, so after the host send back SYN/ACK the ASA is going to block. but there is an option.
you need to create a servive policy rule, select the interface (INSIDE), select as match criteria, source and destination address, create the ACCESS RULE according with you address design, and after that select the TAB CONNECTION SETTING, and click in the option TCT STATE BYPASS.
also you need to do something similar in the ASA 2, but in the outside interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide