Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TCP State Bypass with NAT


we have to change the provider which includes an ip address change of our public ip addresses. In our DMZ we have a couple of server which needs to be accessible to the public. With the new provider i have change the nat addresses of those servers. My problem is due to dns resolution the servers needs to accessible for couple hours on both firewalls. I thought using tcp state bypass i will be able to have two public addresses for the servers. It works from LAN to DMZ because there is NAT exemption.

But on the public side i get the request from one firewall and the return traffic exits the other firewall so i have to different nat addresses and the syn ack is ignored on my client in the internet.

Is there any way to force the firewall sending the data back to the client to use the ip address of the firewall where the packets came in?

thanks in advanced


Super Bronze

TCP State Bypass with NAT


I would imagine you would have to resort to some sort of NAT for all the source hosts/clients that connect to the server.

What I mean you probably have a Static NAT configured for the server on both firewalls. You would then need to configure a Dynamic Policy PAT (or NAT) that would translate any public source IP address to some NAT IP address provided that destination of that traffic was the Static NAT IP address of the server.

This would essentially mean that any connection coming through either firewall would be NATed and the server would essentially see connections coming from that/those NAT IP address(es). This in turn would mean that the server would forward the return traffic through the firewall which owned that NAT IP address. (Provided the routing for those NAT IP address/networks was handled properly)

Other option might be having both ISP links on a single firewall which would mean the server would only have one gateway out of the network and the ASA should enable access TO the servers through either ISP link/interface on the firewall.

But it seems you are using different firewalls.

- Jouni

CreatePlease login to create content