In order to allow the STT tunnel (http://tools.ietf.org/html/draft-davie-stt-00) through a firewall you need to bypass the SYN/ACK security.
STT uses a header that looks just like the TCP header to the NIC. The NIC is thus able to perform Large Segment Offload on what it thinks is a TCP datagram.
The Cisco ASA is able to bypass this on specific interfaces with an ACL.
access-list tcp-bypass-syn-ack extended permit tcp src_network-host dst_network-host
access-list tcp-bypass-syn-ack extended permit tcp dst_network-host src_network-host
class-map tcp_bypass_syn_ack
match access-list tcp-bypass-syn-ack
policy-map tcp_bypass_syn_ack_policy
class tcp_bypass_syn_ack
set connection advanced-options tcp-state-bypass
service-policy tcp_bypass_syn_ack_policy interface ingress_interface
service-policy tcp_bypass_syn_ack_policy interface egress_interface
Verify the connections to show the bypassed connections: show connections | include flags b