Intra-Interface Communications

Answered Question
Jul 12th, 2010
User Badges:

Hello,


I have problem with communications through ASA to MS exchange server.

I'm testing new connection to the internet and ASA is a default-gateway for my VLAN (user VLAN).

It's a similar problem described in this doc 'http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a0080734db7.shtml'

The diferrence is that I'm connected to L3 switch but it doesn't matter in this situation.

All services (DNS, DHCP) in LAN works but I have problem with connection to exchange server only.

That mentioned services are VLAN's separated and on ASA is static routing added to this networks.

I have  no ACL blocking traffic on inside interface.


Does  anyone have a similar problem?







Correct Answer by Nagaraja Thanthry about 6 years 8 months ago

Hello,


Seems like you are referring to Assymmetric routing problem. In such a situation, all non-connection oriented traffic will work fine. But conneciton oriented traffic (TCP based) will suffer. You have couple of options. The easiest one is to make the L3 switch as the gateway for your exchange server. This way, the switch will make the routing decision for the exchange traffic and will deliver all local lan traffic to respective VLAN interfaces and internet traffic to the firewall. The other option, if you are running 8.2 code version, is to configure TCP state bypass. This will ask the firewall not to keep track of the TCP status of certain traffic. Here is a document that outlines the configuration requirements for TCP State bypass.


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Mon, 07/12/2010 - 05:49
User Badges:
  • Cisco Employee,

Hello,


Seems like you are referring to Assymmetric routing problem. In such a situation, all non-connection oriented traffic will work fine. But conneciton oriented traffic (TCP based) will suffer. You have couple of options. The easiest one is to make the L3 switch as the gateway for your exchange server. This way, the switch will make the routing decision for the exchange traffic and will deliver all local lan traffic to respective VLAN interfaces and internet traffic to the firewall. The other option, if you are running 8.2 code version, is to configure TCP state bypass. This will ask the firewall not to keep track of the TCP status of certain traffic. Here is a document that outlines the configuration requirements for TCP State bypass.


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf


Hope this helps.


Regards,


NT

wkamil123 Mon, 07/12/2010 - 07:46
User Badges:

The TCP State bypass resolved problem.

Thanks for your help.


Regards Kamil

Actions

This Discussion