cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
789
Views
0
Helpful
4
Replies

Running ASA as a router

oldcreek12
Level 1
Level 1

Hi, we have a situation that we need to run ASA as a router. Here is the situation, we have two sites connected via a private p2p link, we also have ASA5520 in each site and we have L2L IPsec tunnel over Internet, we want to failover to IPsec over Internet pipe in case p2p link fails. With BFD/OSPF this design works at L3 level. But we have problem to keep existing TCP connections when failover happens, the reason is, I believe, when ASA sees a new connection coming in without seeing  SYNC flag in the packet, it will not create a connection entry and drop the packet unless a new connection is initiated from either side. So my question is, is there anyway I can configure ASA to behave more like a L3 device, ideally to turn off L4 checking for IPsec traffic? or what other option do I have?

4 Replies 4

Hi,

The ASA is not meant to behave as a Router, however you can add some rules to let SYNC flag packets to pass through even if the session was not initiated from a known network.

ASA 8.2.X TCP State Bypass Feature Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

However, I am not sure if this will actually achieve your goal.

Keep me posted.

Please rate any post that you find helpful.

Thank you so much for the link, looks like this is exactly what I am looking for, I will update the thread after I try it out.


I totally agree with you that ASA is not meant to behave as a router, but when situation changes (in our case p2p link was added later), we want to utilize existing equipment as more as possible in stead of purchasing new equipment.

I am glad to hear that.

Keep us posted.

* Please rate any post that you find useful.

Hi,

I wonder if you could mark this as an answered question for the time being.

I appreciate your time.

Please rate any post you find helpful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: