ASA5510

allenelson · ‎03-27-2007

Any ASA guru's out there? I'm running into problems with a remote VPN and actually accessing the ASA.

It isn't but is filtering ICMP requests and telnet sessions. On the ASA, i've allowed ICMP on the outside interface, and also have allowed telnet sessions from the VPN pool. When capturing packets, this is what is seen:

Src Dest

192.168.1.150 192.168.1.1 TCP [SYN]

192.168.1.1 192.168.1.150 TCP [SYN, ACK]

192.168.1.150 192.168.1.1 TCP [ACK]

192.168.1.150 192.168.1.1 TELNET Telnet data..

192.168.1.150 192.168.1.1 TELNET [TCP Retransmission] Telnet data..

And the connection hangs and never receives a login prompt. On the ASA, this is the output:

%ASA-6-302013: Built inbound TCP connection 583 for Outside:192.168.1.150/4294 (192.168.1.150/4294) to NP Identity Ifc:192.168.1.1/23 (192.168.1.1/23) (admin)

%ASA-6-302014: Teardown TCP connection 583 for Outside:192.168.1.150/4294 to NP Identity Ifc:192.168.1.1/23 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept (admin)

%ASA-6-302013: Built inbound TCP connection 585 for Outside:192.168.1.150/4294 (192.168.1.150/4294) to NP Identity Ifc:192.168.1.1/23 (192.168.1.1/23) (admin)

%ASA-6-302015: Built inbound UDP connection 588 for Outside:192.168.1.150/138 (192.168.1.150/138) to NP Identity Ifc:192.168.1.255/138 (192.168.1.255/138) (admin)

%ASA-6-302014: Teardown TCP connection 569 for Outside:192.168.1.150/4292 to NP Identity Ifc:192.168.1.1/23 duration 0:06:34 bytes 86 Connection timeout (admin)

%ASA-6-302015: Built inbound UDP connection 589 for Outside:192.168.1.150/137 (192.168.1.150/137) to NP Identity Ifc:192.168.1.255/137 (192.168.1.255/137) (admin)

I dont see any ACL's filtering it out, and it seems the connection is fine, it just isn't transmitting the data. The only thing I can think of maybe is NAT is somehow interferring with the transfer?

And with ICMP replies, the ASA output is clean for the actual session, but the responses timeout. I can ping other switches on their 192.168.1.x address, and the output is the same.

Any help would be much appreciated.

allenelson · ‎03-30-2007

well i stumbled upon 'management-access' and can now ping the ASA. however, i am unable to ping anything but the ASA now. this is the output of a ping from the ASA, and a switch directly connected to it:

ICMP echo request from 172.16.32.1 to 192.168.1.1 ID=768 seq=7680 len=32

ICMP echo reply from 192.168.1.1 to 172.16.32.1 ID=768 seq=7680 len=32

ICMP echo request from 172.16.32.1 to 192.168.1.1 ID=768 seq=7936 len=32

ICMP echo reply from 192.168.1.1 to 172.16.32.1 ID=768 seq=7936 len=32

ICMP echo request from 172.16.32.1 to 192.168.1.1 ID=768 seq=8192 len=32

ICMP echo reply from 192.168.1.1 to 172.16.32.1 ID=768 seq=8192 len=32

ICMP echo request from 172.16.32.1 to 192.168.1.1 ID=768 seq=8448 len=32

ICMP echo reply from 192.168.1.1 to 172.16.32.1 ID=768 seq=8448 len=32

ICMP echo request from Outside:172.16.32.1 to Inside:192.168.1.2 ID=768 seq=8704 len=32

ICMP echo request from Outside:172.16.32.1 to Inside:192.168.1.2 ID=768 seq=8960 len=32

ICMP echo request from Outside:172.16.32.1 to Inside:192.168.1.2 ID=768 seq=9216 len=32

ICMP echo request from Outside:172.16.32.1 to Inside:192.168.1.2 ID=768 seq=9472 len=32

I've also checked the statistics in my VPN client. I do have a secured route for 192.168.1.0. Anyone?