Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
313
Views
0
Helpful
3
Replies

Assymmetic routing through ASA 8.0

mikedelafield
Level 1
Level 1

‎02-23-2009 08:32 AM - edited ‎03-11-2019 07:55 AM

Our firewall currently blocks traffic destined for our VPN server based on TCP inspection.

Essentially data traverses the VPN to a server on a remote subnet but on return it routes to the firewall and then back to the VPN. However the ASA rejects this as it did not see the original SYN.

ICMP works okay.

How can I turn off this type of TCP inspection for specific subnets and data only.

Thanks.

Labels:
0 Helpful
3 Replies 3

Not applicable

‎03-02-2009 03:46 PM

You may try issuing the following command to diable the TCP inspection.

no ip inspect name inspection-name protocol

0 Helpful

vikram_anumukonda
Level 3
Level 3

‎03-02-2009 08:49 PM

I don't think it's possible , why don't you try and bypass the firewall for the return traffic.

0 Helpful

jason.espino
Level 1
Level 1
In response to vikram_anumukonda

‎03-02-2009 09:10 PM

I agree with Vikram. The ASA will discard a TCP packet has that no associated connection within the conn table. The ASA will look for a SYN flag within the inbound packet to establish a new connection. If there is no existing connection or SYN flag for that packet the ASA will drop it.

If the ASA is indeed dropping the packets you could enable logging on the firewall to verify.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card