I found a solution in the mean time. There is a new feature called tcp state bypass. It was introduced in asa sw 8.21 and fwsm sw 3.2(1).
Example: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
It was introduced to allow asymetric flows in active/active FW scenarios but works as well fo my setup.
I tested it and it woks:
Jun 16 2009 03:03:03 302303 10.8.6.1 23 10.8.4.1 11009 Built TCP state-bypass connection 200 from down:10.8.6.1/23 (10.8.6.1/23) to up:10.8.4.1/11009 (10.8.4.1 /11009)
TCP down 10.8.6.1:23 up 10.8.4.1:11009, idle 0:01:35, bytes 40, flags b
TCP down 10.8.6.1:23 up 10.8.4.1:11008, idle 0:59:17, bytes 50, flags b
TCP down 10.8.4.1:11009 up 10.8.6.1:23, idle 0:01:35, bytes 76, flags b
TCP down 10.8.4.1:11008 up 10.8.6.1:23, idle 0:59:17, bytes 116, flags b
Daniel
-------- Original-Nachricht --------
> Datum: Mon, 15 Jun 2009 10:48:26 -0400
> Von: Lanny Ballard <lanny26ga_at_hotmail.com>
> An: daniel.fischer_at_gmx.net
> Betreff: RE: asymetric routing trough FW
>
> NAT the traffic to something besides itself (I.e NAT 10.1.x.x to 10.2.x.x)
> so that remote site only know how to reach the network via the firewall.
> the TCP syn/ack mechanism won't let you do it assymetrically as the
> firewall resets these sequence numbers when traffic flows through it.
>
> > Date: Mon, 15 Jun 2009 16:08:36 +0200
> > From: Daniel.Fischer_at_gmx.net
> > Subject: asymetric routing trough FW
> > To: ccielab_at_groupstudy.com
> >
> > Dear group
> > i'm working on a mpls vpn hub and spoke topology with a FW behind the
> hub. The idea is to separate up and downstream traffic with two vrfs (up and
> down). This part is working so far, I simulated it with gns3 and used a
> router to simulate the routing of the FW.
> >
> > I use the following topology:
> >
> > --up------|
> > CE4--down----PE2(Spoke)-------PE1(Hub)---vrf up-->-----|___
> > || | |FW |
> > CE5--up------- | ------vrf down--<---|___|
> > --down------|
> >
> > setup refers to Presentation BRKIPM-2102 (Networkers Barcelona)
> >
> > I set it up with real routers and an asa to verify the design including
> FW. The mpls stuff works but there is a (design) problem with the
> communication between the hub and the FW. All traffic arrives through the interface
> connected to vrf "up" at the FW. All traffic flowing downstream is pointed
> out of the interface "vrf down" at the FW. This works with stateless
> protocolls like icmp. As soon as I use TCP the FW complains (and blocks).
> > Message: "The security appliance discarded a TCP packet that has no
> associated connection in the security appliance connection table"
> >
> > The FW does not like TCP traffic coming in on a different interface than
> going out for the same IP. Is there a workaround for this problem?
> >
> > I know that I could build the hub and spoke topoly with only one
> VRF/Subnet betwen the Hub and the FW but then it is not possible to selectively
> allow spoke to spoke communication if necessary.
> >
> > Daniel
> >
> >
> > --
> > GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate und
> Telefonanschluss
> > f|r nur 17,95 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>
> _________________________________________________________________
> Windows Liveb�": Keep your life in sync.
> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_BR_life_in_synch_062009
--
GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate und Telefonanschluss
fC<r nur 17,95 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02
Blogs and organic groups at http://www.ccie.net
Received on Tue Jun 16 2009 - 22:14:09 ART