Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can PIX/ASA disable stateful check?

Hi, all

I have one ASA 5510 with software 7.0, configurated as transparent firewall. Now I want to disable its stateful check, Anyone can tell me whether it support this feature? If its a routed firewall,can it support, And what is the command?

Very Thanks

Tao

3 REPLIES

Re: Can PIX/ASA disable stateful check?

The only way to disable the STATE check on the ASA (bypass the 3 way handshake for example) is to use the static nat command with the "nailed" option as well as the failover timeout

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075

New Member

Re: Can PIX/ASA disable stateful check?

imartino

Very thanks for your reply.

1. From the explanation, it said nailed is used with 'failover timeout' command. What is that mean? I just want to disable the state check, so that asymmetric route traffic can pass through the pix. Can it support that?

BTW, I'd like to know whether it can be used on the transparent mode since it doesn't have the 'static' command.

2. It seem the following command is related with tcp state check.

invalid-ack {allow | drop}

Am I right?

Any reply is very appreciated!

Tao

Re: Can PIX/ASA disable stateful check?

Regardless of transparent firewall statics are supported, and the failover timeout is a requirement when enabling "nailed" option. please take a look at the command reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075

339
Views
3
Helpful
3
Replies