SYN ACK missing related with a firewall inside a DMZ of another ASA
Hi I have two control point, two firewall
the second one is linked inside one DMZ from the first firewall
route is good and inside the DMZ from first firewall I have servers too
so to be more clear we could call as IP for the DMZ from first firewall, Interface IP 18.104.22.168 that generate this DMZ with first firewall (netmask 255.255.0.0)
inside the DMZ I have an interface from second firewall with IP 22.214.171.124 and inside DMZ 1.1/16 I have servers too
keep one test server with IP 126.96.36.199
The LAN passing the second firewall is 188.8.131.52 ever 16 bits of netmask (255.255.0.0)
inside the DMZ generated from second firewall I have a machine with IP 184.108.40.206 that need to access in TCP services on machine 220.127.116.11
running the test I have this scenario:
TCP packets from 18.104.22.168 pass the second firewall and arrive inside DMZ with net 1.1/16 and arrive to server with IP 22.214.171.124
defaul gateway (to answer to originating machine with IP 126.96.36.199) is 188.8.131.52
ASA interface 184.108.40.206 claim a missing related as it haven't mapped the connection that has passed on first firewall. I need only that 220.127.116.11 route packets to second firewall (who own net 2.2/16) avoiding to be trappen in missing related check
at start it was working! around 1 year ago we upgraded IOS to 8.4 and ever so late (one year) doing maintenance to a machine I discovered it was no longer talking with these server on net 1.1/16
I have found on cisco docs chapter 51 and TCP State Bypass ............ is this the only answer and the right answer?
before was working, is something that has changed inside ASA IOS 8.4 ?
HTML version of TCP State Bypass I found that should, could solve my issue is:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...