Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Assymetric packet flow on FWSM context

Hi All,

I am planning to implement following schema:

Outside---RouterA===FWSM context-------RouterB-----LAN

                                         |

                                         |

                                   RouterC

                                         |

                                      LAN

RouterA is acting as Internet gateway connected to ASA using two outside interfaces

FWSM context is placed in transparent firewall mode (two BVI groups for each inside/outside pair - RouterA-RouterC and RouterA-RouterB)

RouterB is connected to FWSM using single connection and serving inside LAN

RouterC is connected to FWSM using single connection and also serving the same inside LAN

RouterB and RouterC are in HSRP for LAN

The thing is that I will run EIGRP between RouterA and RouterB/RouterC, that is why the FWSM is placed in transparent firewall mode to bypass the Eigrp traffic between the routers. So, there is a possibility that TCP session will be established from outside from RouterA and destined to some host on the LAN, it could be forwarded via one interface (BVI Group1) on FWSM to RouterB, but host could reply via RouterC and traffic will be forwarded back thru another interface (BVI group2) on FWSM. My question is if FWSM has already pemitted this TCP session as allowed for inbound from outside (BVI Group 1) will it block replying same TCP traffic but coming  from RouterC(using BVI Group 2)?

Sorry if the question is too complicated, but I just need to know if I have a transaprent firewall with two BVi groups, each group contains it's own inside/outside, will the firewall permit assymetric replying from inside TCP flow via BVI Group 2  if it was allowed as inbound for  BVI Group1 from outside.

Thanks!

1 REPLY
Cisco Employee

Assymetric packet flow on FWSM context

Hello,

The FWSM will not allow asymmetrically routed traffic by default. You can allow this by enabling TCP state bypass, but this disables much of the security functionality that would normally be applied to that flow. You can read more about the feature and implications here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/protct_f.html#wp1075957

-Mike

241
Views
0
Helpful
1
Replies
CreatePlease login to create content