192.168.1.0/24 network needs to talk to 172.16.10.0/24 network, default gateway on 192.168.1.0/24 machines is the interface of ASA(192.168.1.1).
By default ASA won't allow the traffic to leave same interface on which it enters. Thus when 192.168.1.0/24 machines try to go to 172.16.10.0/24 subnet, here is how the communication happens:
- 192.168.1.10 (any machine on 192.168.1.0/24 network with gateway set to 192.168.1.1) opens a TCP connection to 172.16.10.10 (machine on 172.16.10.0/24 subnet) the initial SYN packet of TCP 3-way handshake goes through ASA, which has a route to 172.16.10.0/24 network pointing to 126.96.36.199.
- By default ASA won't allow this u-turn. We can add following command to override this behavior:
- Because of above command ASA will forward the SYN packet to 192.168.1.254 which further forwards it to actual destination 172.16.10.10.
- 172.16.10.10 responds with SYN,ACK destined to 192.168.1.10, this packet arrives on router and since 192.168.1.0/24 is directly connected to it instead of sending this to ASA it does arp broadcast for 192.168.1.10 and directly sends packet to machine (assuming proxyarp on inside is disabled).
- 192.168.1.10 sends ACK (3rd packet of TCP 3 way handshake) again through ASA, but since ASA hasn't seen SYN,ACK for this connection it will drop it and thus communication is unsuccessful.
Here are the commands that we can add on ASA to accomplish this:
Configuring TCP-STATE-BYPASS on ASA: norandomseq nailed command is deprecated and now we use this feature to accomplish the same thing. Also with config mentioned below we do not need "failover timeout" command anymore.
NOTE: Match only required traffic as this feature will force ASA to only check for interface acl, all other security checks are disabled for traffic matching this flow.
access-list TCP-STATE-BYPASS permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
match access-list TCP-STATE-BYPASS
set connection advanced-options tcp-state-bypass
service-policy inside_policy interface inside
With the config above ASA allows asymmetric routing for above flow.
I have an issue where the latest Cisco AnyConnect Client 4.10.04071 won't forget the SSO token so I never get prompted for my credentials. It eventually gets a failure that "Single sign-on AnyConnect token verification failure" occurred. I'm t...
Hello, We are planning to send the Cisco FTD logs to an external Syslog server. But the server team informed that the logs should be in CEF format. What is the default syslog format used by Cisco FTD?. Does it support CEF format?. Thanks Sh...
Greetings all,I inherited a VSOM environment that is in a suboptimal state and I'm looking for pointers to get it back in order. This was an old install base originally deployed on 7.6 (or thereabout) and running 7.11 when I took over. I upgraded to 7.14....
Hi Everybody, I have a need to create a tunnel from an office with a dynamic IP to our main data center with static IPs. Looking at the directions below, it says "The information in this document is based on Cisco ASA (5510 and 5520) Firewall Softwar...
ISE 3.0 patch 49200 Catalyst switch XE 7.3.1Wired guest portal issue. Redirect isn't working - Test Guest portal on ISE work successfully- Live logs and switch port shows ISE sending the redirect URL successfully- IPDT is configured on the swit...