11-12
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 11 Connection Settings
Configure Connection Settings
TCP State Bypass
NAT Guidelines
Because the translation session is established separately for each ASA, be sure to configure static NAT
on both ASAs for TCP state bypass traffic. If you use dynamic NAT, the address chosen for the session
on ASA 1 will differ from the address chosen for the session on ASA 2.
Configure TCP State Bypass
To bypass TCP state checking in asynchronous routing environments, carefully define a traffic class that
applies to the affected hosts or networks only, then enable TCP State Bypass on the traffic class using a
service policy. Because bypass reduces the security of the network, limit its application as much as
possible.
Procedure
Step 1
Create an L3/L4 class map to identify the hosts that require TCP State Bypass. Use an access-list match
to identify the source and destination hosts.
class-map
name
match
parameter
Example:
hostname(config)#
access-list bypass extended permit tcp host 10.1.1.1 host 10.2.2.2
hostname(config)#
class-map bypass-class
hostname(config-cmap)#
match access-list bypass
Step 2
Add or edit a policy map that sets the actions to take with the class map traffic, and identify the class
map.
policy-map
name
class
name
Example:
hostname(config)# policy-map global_policy
hostname(config-pmap)# class bypass-class
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you
want to edit the global_policy, enter global_policy as the policy name. For the class map, specify the
class you created earlier in this procedure.
Step 3
Enable TCP State Bypass on the class.
set connection advanced-options tcp-state-bypass
Step 4
If you are editing an existing service policy (such as the default global policy called global_policy), you
are done. Otherwise, activate the policy map on one or more interfaces.
service-policy
policymap_name
{
global
|
interface
interface_name
}
Example:
hostname(config)# service-policy global_policy global
The
global
keyword applies the policy map to all interfaces, and
interface
applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...