Cisco ASA | hairpin work-around ASA version 8.4(3)

After struggling with a routing problem between a host which had a Cisco ASA with an ASA version 8.4(3) as gateway and had to route to an other subnet in the inside area.
In this example the host wants to connect to a (icmp works, other traffic doesn’t)

To solve this issue, you need to add some configuration to the Cisco ASA ( ) as a workaround. The Cisco ASA is not really designed to do routing, if i’m correct.
However what should you add to the configuration.
You need a static route added to the Cisco ASA for example:

route inside 1

Access-list you have to create:

access-list tcp_state_bypass extended permit tcp any any

Create a class map and a policy map:

class-map tcp_bypass
 match access-list tcp_state_bypass
 policy-map tcp_bypass_policy
 class tcp_bypass
 set connection advanced-options tcp-state-bypass

Configure a service-policy to make it active.

service-policy tcp_bypass_policy global

Now I was able to open the HTTP webpage

3 thoughts on “Cisco ASA | hairpin work-around ASA version 8.4(3)”

  1. Thanks for that, this was really useful for me !
    Please let me add some info to be more secure (tested on my network) :
    – your access-list should be more restrictive and only content the wanted address/network
    for example, here : access-list tcp_state_bypass extended permit tcp
    – applying that on global Policy is “to much” you can only apply that on Inside interface :
    service-policy tcp_bypass_policy interface Inside
    Hope this helps !

    1. This small change is better. I had issues configuring an ASA 5506 with Firepower doing the re-route from the ASA to the Firepower module. With the access list set to any any, it was incorrectly permitting traffic that was supposed to be rerouted to the firepower module.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.