Cisco ASA 5505 Configuration Manual page 1051

Chapter 48 Configuring Connection Settings
TCP State Bypass Guidelines and Limitations
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent mode.
Failover Guidelines
Failover is supported.
Unsupported Features
The following features are not supported when you use TCP state bypass:
•
•
•
•
•
NAT Guidelines
Because the translation session is established separately for each adaptive security appliance, be sure to
configure static NAT on both adaptive security appliances for TCP state bypass traffic; if you use
dynamic NAT, the address chosen for the session on adaptive security appliance 1 will differ from the
address chosen for the session on adaptive security appliance 2.
Default Settings
TCP State Bypass
TCP state bypass is disabled by default.
Configuring Connection Settings
This section includes the following topics:
•
•
OL-20339-01
Application inspection—Application inspection requires both inbound and outbound traffic to go
through the same adaptive security appliance, so application inspection is not supported with TCP
state bypass.
AAA authenticated sessions—When a user authenticates with one adaptive security appliance,
traffic returning via the other adaptive security appliance will be denied because the user did not
authenticate with that adaptive security appliance.
TCP Intercept, maximum embryonic connection limit, TCP sequence number randomization—The
adaptive security appliance does not keep track of the state of the connection, so these features are
not applied.
TCP normalization—The TCP normalizer is disabled.
SSM and SSC functionality—You cannot use TCP state bypass and any application running on an
SSM or SSC, such as IPS or CSC.
Customizing the TCP Normalizer with a TCP Map, page 48-6
Configuring Connection Settings, page 48-8
Cisco ASA 5500 Series Configuration Guide using ASDM
Default Settings
48-5