Firewalls, such as Cisco ASA and FWSM, use statefull inspection to protect traffic flows. One major requirement of successfully implementing statefull inspection is that both request (TCP SYN) and response (TCP SYN/ACK) must be seen by the firewall on the same corresponding ingress and egress interfaces. Otherwise, the firewall will treat it as TCP SYN attack or TCP SYN/ACK attack and drop the packet.
Most often inside network starts with a flat, single vlan topology. Overtime, routers or layer 3 switches are added to expand or segment further the inside network. As a result, communication between inside servers and clients where servers use the firewall as gateway no longer work.
With the servers using the firewall as gateway to communicate to inside nodes, asymmetric traffic flows can be introduced with the new topology. For example (see topology), the TCP SYN from clients to servers will never cross the firewall because the router has an interface on the same ip subnet as the servers. As a result, the server's TCP SYN/ACK response will cross the firewall because the server uses the firewall as next hop/gateway to communicate to different ip subnets. Similar asymmetric behavior occurs if traffic is initiated from the servers towards the clients.
Note that when the firewall receives a SYN/ACK without a corresponding SYN, it will not only drop the SYN/ACK packet but will also send a RESET packet towards the sender of the SYN/ACK.
1. To avoid the asymmetric traffic flow between servers and clients, the least disruptive change is to have the servers use the router/layer 3 as their default gateway. Ensure the router and layer 3 switch still uses the firewall as gateway for internet access. This is scaleable as you do not need to worry about how many vlans on the inside.
2. The other option is to use static routes on the servers such as traffic flow destined to inside nodes will use the inside router instead of the default gateway. This is not scaleable as you will need to add an entry for evey inside vlan subnets.
3. Add a DMZ interface on the firewall and move the servers behind it. This way, the servers are still protected from both the inside and internet access.
4. Enable tcp state-bypass on the Firewall specific to the traffic flow between the servers and clients. Note that this is only considered as a workaround and is not highly recommended. The reason is that TCP state-bypass disables the statefull inspection of the firewall. Either way, the traffic should not cross the firewall in the first place therefore the option may be acceptable depending on the company's security policy.