In certain circumstances you may wish an ASA not to inspect the TCP SYN flags of packets. This is usually the case if the device will not see the return traffic, such as in the following example:
To do this, we need to first of all create an access-list containing the destination IP range we’e going to exclude from TCP SYN checks. This is an extended acl that you’ll likely have plenty of:
access-list NoSYNChecksACL extended permit tcp 172.16.0.0 255.240.0.0 172.16.0.0 255.240.0.0 log disable
Next up we create a class map to identify packets based on the ACL we’ve created:
class-map NoSYNChecksCM match access-list NoSYNChecksACL
With our ACL and Class Map created we now need to decide what should happen to these packets to which we don’t see the return traffic. We’re going to tell the ASA to bypass TCP state checks ( SYN / ACK ) for traffic matching our class map.
policy-map NoSYNChecksPM class NoSYNChecksCM set connection timeout idle 0:15:00 set connection advanced-options tcp-state-bypass
With that done, all we need to do is apply the policy to an interface:
service-policy NoSYNChecksPM interface Inside
Any traffic sourced from the inside interface, destined for addresses matched by our ACL will now not be subject to TCP state checks.
Continue reading Cisco ASA TCP SYN Checks