Finding asymmetric path

Arie Vayner arievayner at
Sun Nov 29 08:17:18 UTC 2009

Actually, this can be achieved easily using reflexive ACLs on any Cisco
router, so no real need to change the topology or add new devices in the


On Sat, Nov 28, 2009 at 10:26 PM, Duane Waddle <duane.waddle at>wrote:

> On Sat, Nov 28, 2009 at 1:41 PM, Brielle Bruns <bruns at> wrote:
> > My partner Tammy says a PIX could probably accomplish the same task (we
> have some here for the corp lan stuff, including spares).
> Yes, a PIX/ASA would stop this cold.  The TCP state tracking would not
> allow traffic to pass unless the whole 3-way handshake was observed by
> the box.  Only recently did Cisco add features to make tracking the
> TCP connection state optional.
> (
> )
>  The larger ASA-5580 machines can be virtualized into dozens (or more)
> security contexts as needed.  I imagine it would take some effort to
> figure out how to cleanly integrate such a configuration into a POP.
> --D

More information about the NANOG mailing list