Cisco ASA to Play Nice with Asymmetric Routing

Some day you might find yourself in a situation where you have an ASA device protecting an asymmetric network. This is a problem for ASA as it can only see one half of the connection, the other half being routed to the destination through a path that doesn’t involve the ASA. Now, this is not a recommended practice, but in 8.2(1) you can bypass the connection state check that the ASA performs to get asymmetric traffic through the firewall.

Below is an example of a policy that enables TCP State by-pass for an internal network, 10.1.1.0/24.

ASA(config)#access-list STATE_BYPASS_ACL extended permit tcp 10.1.1.0 255.255.255.0 any
ASA(config)#class-map STATE_BYPASS_CMAP
ASA(config-cmap)#match access-list STATE_BYPASS_ACL
ASA(config-cmap)#description "TCP traffic that bypasses stateful firewall"
ASA(config-cmap)#exit
ASA(config)#policy-map STATE_BYPASS_PMAP
ASA(config-pmap)#class STATE_BYPASS_CMAP
ASA(config-pmap-c)#set connection advanced-options tcp-state-bypass
ASA(config-pmap-c)#exit
ASA(config)#service-policy STATE_BYPASS_PMAP interface inside
ASA(config)#object network OBJ-10.1.1.6
ASA(config-network-object)#host 10.1.1.6     
ASA(config-network-object)#nat (inside,outside) static 192.168.1.6

Enjoy.

Jul 9th, 2011 • Posted in ASA, Routing
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>