I have been looking into the new TCP state bypass feature in ASA 8.2.1 and I have a few questions that I can't seem to find information about in the docs:
1. Does TCP State Bypass remove all stateful inspection? ie would I need to allow response traffic in the ACL
access-list out permit tcp any any eq www
access-list out permit tcp any eq www any
access-list out permit udp any any eq domain
access-list out permit udp any eq domain any
2. The docs state that TCP state bypass can be enabled for only certain connections. Is application inspection disabled for all connections or just for the specific connections that were set up for TCP state bypass?
It does not remove all statefull inspection. By default, all traffic that goes through the adaptive security appliance is inspected using the Adaptive Security Algorithm and is either allowed through or dropped based on the security policy. The adaptive security appliance maximizes the firewall performance by checking the state of each packet (is this a new connection or an established connection?) and assigning it to either the session management path (a new connection SYN packet), the fast path (an established connection), or the control plane path (advanced inspection).
Application inspection is not supported in TCP state bypass as Application inspection requires both inbound and outbound traffic to go through the same adaptive security appliance, so application inspection is not supported with TCP state bypass.