RouterA is acting as Internet gateway connected to ASA using two outside interfaces
FWSM context is placed in transparent firewall mode (two BVI groups for each inside/outside pair - RouterA-RouterC and RouterA-RouterB)
RouterB is connected to FWSM using single connection and serving inside LAN
RouterC is connected to FWSM using single connection and also serving the same inside LAN
RouterB and RouterC are in HSRP for LAN
The thing is that I will run EIGRP between RouterA and RouterB/RouterC, that is why the FWSM is placed in transparent firewall mode to bypass the Eigrp traffic between the routers. So, there is a possibility that TCP session will be established from outside from RouterA and destined to some host on the LAN, it could be forwarded via one interface (BVI Group1) on FWSM to RouterB, but host could reply via RouterC and traffic will be forwarded back thru another interface (BVI group2) on FWSM. My question is if FWSM has already pemitted this TCP session as allowed for inbound from outside (BVI Group 1) will it block replying same TCP traffic but coming from RouterC(using BVI Group 2)?
Sorry if the question is too complicated, but I just need to know if I have a transaprent firewall with two BVi groups, each group contains it's own inside/outside, will the firewall permit assymetric replying from inside TCP flow via BVI Group 2 if it was allowed as inbound for BVI Group1 from outside.
The FWSM will not allow asymmetrically routed traffic by default. You can allow this by enabling TCP state bypass, but this disables much of the security functionality that would normally be applied to that flow. You can read more about the feature and implications here:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :