02-23-2009 08:32 AM - edited 03-11-2019 07:55 AM
Our firewall currently blocks traffic destined for our VPN server based on TCP inspection.
Essentially data traverses the VPN to a server on a remote subnet but on return it routes to the firewall and then back to the VPN. However the ASA rejects this as it did not see the original SYN.
ICMP works okay.
How can I turn off this type of TCP inspection for specific subnets and data only.
Thanks.
03-02-2009 03:46 PM
You may try issuing the following command to diable the TCP inspection.
no ip inspect name inspection-name protocol
03-02-2009 08:49 PM
I don't think it's possible , why don't you try and bypass the firewall for the return traffic.
03-02-2009 09:10 PM
I agree with Vikram. The ASA will discard a TCP packet has that no associated connection within the conn table. The ASA will look for a SYN flag within the inbound packet to establish a new connection. If there is no existing connection or SYN flag for that packet the ASA will drop it.
If the ASA is indeed dropping the packets you could enable logging on the firewall to verify.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide