I've configured an ASA 5510 FW with asa901-k8 ios. on it's "inside" port there is 10.90.0.0 network. there is another network (10.190.0.0) in my system that can be reached via another router which has 10.90.0.253 ip address. when a client in the 10.90 network wants to reach the 10.190 network the fw redirects the request to the router (10.90.0.253) because the fw is my gateway. there is no problem so far... but... while i can ping and traceroute a 10.190... user from 10.90... network, i can't use any non-icmp appliactions. for example i can't use rdp programs, http web interfaces of some devices on remote network (10.190.0.0). what can cause that? is there any rule in asa that blocks these protocols?
Is there is any ACL on router interfaces that may be blocking? Does on local network everything work? Post here config of your router. We can help much better.
Sent from Cisco Technical Support iPhone App
From my understanding, when a client in the 10.90 network wants to reach the 10.190 network, traffic flow will be:
10.90 client (possibly TCP SYN) -> firewall -> router -> 10.190 client.
but 10.190 client will return traffic in this direction:
10.190 client (possibly TCP SYN ACK)-> router -> 10.90 client.
at this point, firewall see asymmetrical TCP connection which firewall try to protects the network by denying further raffic (denying TCP ACK).
here is a link to help you understand ASA asymmetric routing proction:
to temporarily workaround this until the asymmetry can be fixed, enable TCP State Bypass:
Please remember this is bad design. A user VLAN should have only one gateway. You could place the router in another firewall zone.