Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


ASA Stateful Bypass

Hi All,

Due to some asymetric issues I need to allow some traffic through the ASA and bypass the stateful workings of the FW. I am unable to amend the routing due to other issues which is not ideal so this seems to be my only option for now. The ASA is running in transparent mode acting as an IPS.

I have the following (see below) and just applied it globally. I basically want connections coming into the FW  from "any" to "" and from "" to "any" to be allowed. Doesn;t seem to be working though as ICMP traffic doesn't seem to be replying. I can see on the ASA logs the following


Built inbound ICMP connection for faddr gaddr laddr

Aug 26 2014 15:22:05: %ASA-4-313004: Denied ICMP type=0, from laddr on interface ***VLAN_450_WAN_INSIDE*** to no matching session


%ASA-4-313004: Denied ICMP type=0, from laddr on interface ***VLAN_450_WAN_INSIDE*** to no matching session


My current config is below.

access-list CV_BYPASS line 1 extended permit ip any host (hitcnt=364) 0x4fb7318e
access-list CV_BYPASS line 2 extended permit icmp any host (hitcnt=0) 0x22bf3de0
access-list CV_BYPASS line 3 extended permit ip host any (hitcnt=9) 0x5072ed00
access-list CV_BYPASS line 4 extended permit icmp host any (hitcnt=0) 0xad56199a


policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map MY-IDS-POLICY
  ips promiscuous fail-open sensor vs0
policy-map global_policy
 class inspection_default
  inspect ip-options
  inspect icmp
 class tcp-traffic
  set connection advanced-options allow-probes
 class CV_BYPASS
  set connection timeout idle 0:10:00
  set connection advanced-options tcp-state-bypass

class-map CV_BYPASS
 match access-list CV_BYPASS
class-map MY-IPS-CLASS
 match access-list SSM-IPS
class-map tcp-traffic
 match access-list tcp-traffic
class-map inspection_default
 match default-inspection-traffic



  • Firewalling
This widget could not be displayed.