Finding asymmetric path

Duane Waddle duane.waddle at
Sat Nov 28 20:26:07 UTC 2009

On Sat, Nov 28, 2009 at 1:41 PM, Brielle Bruns <bruns at> wrote:

> My partner Tammy says a PIX could probably accomplish the same task (we have some here for the corp lan stuff, including spares).

Yes, a PIX/ASA would stop this cold.  The TCP state tracking would not
allow traffic to pass unless the whole 3-way handshake was observed by
the box.  Only recently did Cisco add features to make tracking the
TCP connection state optional.
 The larger ASA-5580 machines can be virtualized into dozens (or more)
security contexts as needed.  I imagine it would take some effort to
figure out how to cleanly integrate such a configuration into a POP.


More information about the NANOG mailing list