Finding asymmetric path

[arievayner at gmail.com (Arie Vayner)]

Actually, this can be achieved easily using reflexive ACLs on any Cisco
router, so no real need to change the topology or add new devices in the
path:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#reflexacl

Arie

On Sat, Nov 28, 2009 at 10:26 PM, Duane Waddle <duane.waddle at gmail.com>wrote:

> On Sat, Nov 28, 2009 at 1:41 PM, Brielle Bruns <bruns at 2mbit.com> wrote:
>
> > My partner Tammy says a PIX could probably accomplish the same task (we
> have some here for the corp lan stuff, including spares).
>
> Yes, a PIX/ASA would stop this cold.  The TCP state tracking would not
> allow traffic to pass unless the whole 3-way handshake was observed by
> the box.  Only recently did Cisco add features to make tracking the
> TCP connection state optional.
> (
> http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf
> )
>  The larger ASA-5580 machines can be virtualized into dozens (or more)
> security contexts as needed.  I imagine it would take some effort to
> figure out how to cleanly integrate such a configuration into a POP.
>
> --D
>
>