Hi all. In our company we have recently upgraded our firewall from PIX 515 to ASA 5520 and we have started experiencing an odd thing happening. On one of the sites we host I have observed a lot of MSS exceeded messages popping up and I believe they are the source of the problem when surfing the site(surfing mostly works fine but sometimes people can't content etc.).
I have found the Cisco workaround for this problem using MPF but one thing confuses me. If I apply an MPF for allowing larger MSS on the outside interface of the ASA does that policy conflict with the global policy that is on ASA by default or can they both exist at the same time?
Thanks in advance for any help.
You can have one policy per interface and another one - global that by default applies to default-inspection-traffic.
Check http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html for further details.