ASA 5520 - Need to allow out-of-state traffic

Unanswered Question
Apr 24th, 2007

I have a temporary situation where I need to allow traffic where both tx and rx do not take the same path.

Sometimes the originating traffic will go through the ASA, and sometime the return traffic will go through the ASA.

Please don't tell me that I need to create two-way rules! Please tell me that there is a magical one-liner or a checkbox somewhere to allow this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
amritpatek Thu, 05/03/2007 - 05:59

To my knowledge, only in BGP you can set the rules in policy map for applying the rules for the it attributes. In pix other than access list to apply the rules in interface may end up with your solution.

nms@perfectserve.net Thu, 05/03/2007 - 07:16

Here's what it takes to allow out-of-state traffic (or asymmetrical routing as I've seen cisco refer to it as).

static (,) netmask norandomseq nailed

failover timeout -1

Example

static (server-net-a,server-net-b) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 norandomseq nailed

static (server-net-b,server-net-a) 10.0.1.0 10.0.1.0 netmask 255.255.255.0 norandomseq nailed

failover timout -1

Actions

This Discussion