Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA return Traffic on different interface

Hi guys,

During my configuration of a network i found that if return traffic is comes on different interface , ASA block it.

e.g, lets say my ping originated from inside server on inside interface(Security level 100), This packet is router to sub interface .1, and server to which echo was sent reply back. but due to internal routing echo-reply comes back on subinterface .2. Although traffic coming back was allowed but still ASA didn't allow this kind of traffic. So to fix this i fixed internal routing and suddenly everything seems to be working.

No my question is : Is this a way we can allow such config, for now i had control over customer routing so i could fix this issue, But in future if such situation occurs what to do

Thnx in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco ASA return Traffic on different interface

Although what you did - fixing routing is the right way to fix it, this kind of asymmetry can be allowed.

With ASA 8.2.1 and above you can configure tcp state-bypass:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242

The following is an example configuration for TCP state bypass:

hostname(config)# access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.224 any

hostname(config)# class-map tcp_bypass
hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"
hostname(config-cmap)# match access-list tcp_bypass
hostname(config-cmap)# policy-map tcp_bypass_policy
hostname(config-pmap)# class tcp_bypass
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass
hostname(config-pmap-c)# service-policy tcp_bypass_policy outside
hostname(config-pmap-c)# static (inside,outside) 209.165.200.224 10.1.1.0 netmask

-KS

2 REPLIES
Cisco Employee

Re: Cisco ASA return Traffic on different interface

Although what you did - fixing routing is the right way to fix it, this kind of asymmetry can be allowed.

With ASA 8.2.1 and above you can configure tcp state-bypass:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242

The following is an example configuration for TCP state bypass:

hostname(config)# access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.224 any

hostname(config)# class-map tcp_bypass
hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"
hostname(config-cmap)# match access-list tcp_bypass
hostname(config-cmap)# policy-map tcp_bypass_policy
hostname(config-pmap)# class tcp_bypass
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass
hostname(config-pmap-c)# service-policy tcp_bypass_policy outside
hostname(config-pmap-c)# static (inside,outside) 209.165.200.224 10.1.1.0 netmask

-KS

New Member

Re: Cisco ASA return Traffic on different interface

Thnx a ton, You rock

1051
Views
0
Helpful
2
Replies
CreatePlease to create content