ASA Asymmetric Routing
From Internetworkpro
If you're having issues with Cisco ASA and asymmetrical routing this should save you the night.
This new feature is called TCP State Bypass and is available on from ASA v8.2(1).
inside: 10.1.1.0/24 ASA (default gw): 10.1.1.254 secondary gateway on the inside zone: 10.1.1.3 Host behind the secondary gateway: 10.0.0.113
Things to do:
- Enable same security traffic intra interface (Permits communication in and out of the same interface).
same-security-traffic permit intra-interface - NO NAT ACL
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 host 10.0.0.113 log - Apply the NON NAT ACL
nat (inside) 0 access-list nonat - Add the static route
route inside 10.0.0.113 255.255.255.255 10.1.1.3 1 - Add the STATE BYPASS ACL
access-list state_bypass extended permit tcp 10.1.1.0 255.255.255.0 host 10.0.0.113 log - Create the STATE BYPASS CLASS MAP
class-map state_bypass
match access-list state_bypass - Create the STATE BYPASS POLICY MAP
policy-map state_bypass_policy
class state_bypass
set connection advanced-options tcp-state-bypass - Apply the POLICY MAP
service-policy tcp_state_bypass_policy interface inside
Now you should be able to establish a TCP connection with the remote host behind the local gateway.
A simple sh log | inc state-bypass will show you the result of your hard work :)
%ASA-6-302303: Built TCP state-bypass connection 29656 from inside:10.1.1.115/50429 (10.1.1.115/50429) to inside:10.0.0.113/8080 (10.0.0.113 /8080)
If you want more exhaustive information read the official Cisco tcp state bypass guide.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf
- Credit to nettie from #cisco
