Intra-Interface Communications

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

Intra-Interface Communications

Post by Guest » Mon Jan 17, 2005 4:33 am

Hello, I have problem with communications through ASA to MS exchange server.Im testing new connection to the internet and ASA is a default-gateway for my VLAN user VLAN.Its a similar problem described in this doc http://www.cisco.com/en/US/partner/prod ... 7.shtmlThe diferrence is that Im connected to L3 switch but it doesn matter in this situation.All services (DNS, DHCP) in LAN works but I have problem with connection to exchange server only.That mentioned services are VLANs separated and on ASA is static routing added to this networks.I have  no ACL blocking traffic on inside interface. Does  anyone have a similar problem?     

Guest

Re:Intra-Interface Communications

Post by Guest » Mon Jan 17, 2005 4:38 am

Hello, Seems like you are referring to Assymmetric routing problem. In such a situation, all non-connection oriented traffic will work fine. But conneciton oriented traffic (TCP based) will suffer. You have couple of options. The easiest one is to make the L3 switch as the gateway for your exchange server. This way, the switch will make the routing decision for the exchange traffic and will deliver all local lan traffic to respective VLAN interfaces and internet traffic to the firewall. The other option, if you are running 8.2 code version, is to configure TCP state bypass. This will ask the firewall not to keep track of the TCP status of certain traffic. Here is a document that outlines the configuration requirements for TCP State bypass. http://www.cisco.com/en/US/docs/securit ... bypass.pdf Hope this helps. Regards, NT

Guest

Re:Intra-Interface Communications

Post by Guest » Mon Jan 17, 2005 5:49 am

The TCP State bypass resolved problem.Thanks for your help. Regards Kamil

Post Reply