Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

stateful firewall with stateless NAT or PAT rule


First off I am an applications person, so sorry for the newbie question which is out of my area. 

We have a database on a private nerwork separated from our public app server by a cisco asa 7.0 firewall.  The firewall does a lot of stateful stuff besides this.  It NATs the database or PATs a port (sometimes one, sometimes the other depending on the database).  Anyways, we have had infrequent intermittent problems where the database driver from the app server sends a FIN, and the database doesnt respond, and the firewall kills the half closed connection, but the app server tries to use it again and it causes a failure (firewall doesnt let it through).

Im just curious, I know this isnt ideal, but it is possible to keep the firewall working the way it is now for everything else (stateful), and just allow this PAT or even NAT to be stateless?  If so, how would that be setup?  Bascially what I am interested in is if the app server source address sends any traffic on the right port that it be forwarded to the database no matter what the firewall thinks about the TCP traffic... stateless.  And it needs to failover correctly to the backup firewall if something happens.  I would assume a stateless connection (if its possible) wouldnt have to worry about failover since everything is let through on the IP/port combinations.



Cisco Employee

Re: stateful firewall with stateless NAT or PAT rule

The answer is yes, only if you upgrade to 8.2.

It is called tcp state bypass introduced in 8.2.

Explain here


CreatePlease to create content