Cisco ASA TCP SYN Checks

In certain circumstances you may wish an ASA not to inspect the TCP SYN flags of packets. This is usually the case if the device will not see the return traffic, such as in the following example:

TCP State Bypass ASA

To do this, we need to first of all create an access-list containing the destination IP range we’e going to exclude from TCP SYN checks. This is an extended acl that you’ll likely have plenty of:

access-list NoSYNChecksACL extended permit tcp log disable

Next up we create a class map to identify packets based on the ACL we’ve created:

class-map NoSYNChecksCM
  match access-list NoSYNChecksACL 

With our ACL and Class Map created we now need to decide what should happen to these packets to which we don’t see the return traffic. We’re going to tell the ASA to bypass TCP state checks ( SYN / ACK ) for traffic matching our class map.

policy-map NoSYNChecksPM
  class NoSYNChecksCM
    set connection timeout idle 0:15:00
    set connection advanced-options tcp-state-bypass

With that done, all we need to do is apply the policy to an interface:

service-policy NoSYNChecksPM interface Inside

Any traffic sourced from the inside interface, destined for addresses matched by our ACL will now not be subject to TCP state checks.

Published by

Dave Hope

Dave works in IT for a leading UK based retirement developer, in his spare time he enjoys tinkering with technology and rock climbing.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.