normally you can not do that,

ahmad82pkn · ‎04-19-2016

Hi, i have a Cisco ASA 1 in Data Center 1 and Cisco ASA 2 in Data center 2.

i am asked to do BGP with client with load balancing and there is chance that traffic going out to client via ASA 1 will come back to me from other ASA 2.

Does Cisco ASA support this ?

cant seem to find such design on internet.

ahmad82pkn · ‎04-19-2016

found. it. thanx http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html

Meylaers Jan · ‎04-20-2016

you can do that because of the 3 way handshake if you disable the 3 way handshake inspection thing called

TCP - reject non-SYN first packet: yes

@palo alto my friends

if you not disable this 3 way handshake inspection your initial setup flow will be broken down because of NOT receiving a handshake on the initial setup firewall.

Kind Regards

Jan Meylaers

Julio Cesar Brochero Bravo · ‎04-20-2016

normally you can not do that, because during the 3-way handshake the ASA I is not going to receive the ACK, so after the host send back SYN/ACK the ASA is going to block. but there is an option.

you need to create a servive policy rule, select the interface (INSIDE), select as match criteria, source and destination address, create the ACCESS RULE according with you address design, and after that select the TAB CONNECTION SETTING, and click in the option TCT STATE BYPASS.

also you need to do something similar in the ASA 2, but in the outside interface.

assymetric routing across two firewalls?