I have a question in a test environment, mount the topology as the attached file, and inserting the wing route to 172.16.2.0/24 via 192.168.0.10 network the ping command works, but any protocol that is oriented to connect does not work. Monitors with the debug command and noticed that the package leaves the station with IP address 192.168.1.3 to the ip address 172.16.2.2 successfully, the packet with SYN flag arrives, and when the 172.16.2.2 server responds with the ACK flag returns without problems. But when the station with IP address 192.168.1.3 returns the packet with flag SYN/ACK the Cisco ASA receives a package and as the ACK not returned by the ASA cisco asa result seems to lose the package and execute a teardown and the connection is not complete. I believe this is because the cisco asa can understand this behavior as an atack main-in-the-middle. Is there a way to disable that check in cisco ASA. I ask that the level of knowledge, because this scenario will not be used.
8.4 is not a valid ASA version. You may be running 8.0(4). This TCP State Bypass feature is available after 8.2(1) or after.
'permit ip any any' simply states that all UDP and TCP connections are permitted. However, the ASA will still inspect both connections for state and other security checks. In the case of TCP, the first packet MUST be a SYN. Otherwise, without the SYN, we should never see a SYN-ACK. A syslog message, 'Deny TCP (no connection)', would result if we saw the SYN-ACK without the SYN packet.