Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Assymmetic routing through ASA 8.0

Our firewall currently blocks traffic destined for our VPN server based on TCP inspection.

Essentially data traverses the VPN to a server on a remote subnet but on return it routes to the firewall and then back to the VPN. However the ASA rejects this as it did not see the original SYN.

ICMP works okay.

How can I turn off this type of TCP inspection for specific subnets and data only.



Re: Assymmetic routing through ASA 8.0

You may try issuing the following command to diable the TCP inspection.

no ip inspect name inspection-name protocol

Re: Assymmetic routing through ASA 8.0

I don't think it's possible , why don't you try and bypass the firewall for the return traffic.

New Member

Re: Assymmetic routing through ASA 8.0

I agree with Vikram. The ASA will discard a TCP packet has that no associated connection within the conn table. The ASA will look for a SYN flag within the inbound packet to establish a new connection. If there is no existing connection or SYN flag for that packet the ASA will drop it.

If the ASA is indeed dropping the packets you could enable logging on the firewall to verify.

CreatePlease to create content