I have a two ASA firewalls at two seperate locations in place and both running in multicontext mode (Internal context and External Context) and i have configured TCP State bypass on the firewall interfaces on both the internal and external interfaces to accomodate asymmetric routing. Now everything i have read from cisco and other places seems to suggest this will work but at the moment it doesnt
What i see is as follows,
TCP syn is sent From Source Device out through Firewall A Internal Context through Firewall A External Context to the destination device.
TCP syn Ack is received from destination device at Firewall B External Context and is dropped (deny no connection......)
the configuration i have applied is as per cisco documentation apart from my accesslist is ip any any
hostname(config)# access-list tcp_bypass extended permit ip any any
hostname(config)# class-map tcp_bypass
hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"
hostname(config-cmap)# match access-list tcp_bypass
I believe the issue is with your ACL. I had a similar issue, not with TCP Bypass but with allowing return traffic based on the state table. The problem was that when using permit ip any any, the ASA did not track the state. So if you give it a try by changing the ACL to:
access-list tcp_bypass extended permit tcp any any eq 80
And then test. The unfortunate thing with this is that you need to specify all the TCP, UDP ports, but you can do that with a object group. Just a hassel the first time you do it but much easier to manage.
Ofcourse you don't have to use port 80...it is just an example.
Pease rate all helpful posts
Please remember to rate and select a correct answer
The TCP State Bypass feature was indeed working as configured, the packets were being dropped with the message no connection Syn Ack because there was not a corresponding rule to allow the traffic. This is rather annoying because the error deny message is not the message i would have expected to see.
Some times you have to many rules and you cant see the wood for the trees....
Any how i tightened up the Match ACL to the specific traffic and added the rules required, also dont forget sync acks reverse the source and destination ports so you need to ensure your rules take this into consideration..
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...