Assymmetic routing through ASA 8.0

Unanswered Question
Feb 23rd, 2009

Our firewall currently blocks traffic destined for our VPN server based on TCP inspection.

Essentially data traverses the VPN to a server on a remote subnet but on return it routes to the firewall and then back to the VPN. However the ASA rejects this as it did not see the original SYN.

ICMP works okay.

How can I turn off this type of TCP inspection for specific subnets and data only.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Mon, 03/02/2009 - 15:46

You may try issuing the following command to diable the TCP inspection.

no ip inspect name inspection-name protocol

vikram_anumukonda Mon, 03/02/2009 - 20:49

I don't think it's possible , why don't you try and bypass the firewall for the return traffic.

jason.espino Mon, 03/02/2009 - 21:10

I agree with Vikram. The ASA will discard a TCP packet has that no associated connection within the conn table. The ASA will look for a SYN flag within the inbound packet to establish a new connection. If there is no existing connection or SYN flag for that packet the ASA will drop it.

If the ASA is indeed dropping the packets you could enable logging on the firewall to verify.


This Discussion