CISCO ASA5510

Unanswered Question
May 31st, 2007
User Badges:

|May 31 2007 18:59:20|106001: Inbound TCP connection denied from 10.0.0.0/1891 to 192.168.0.0/23 flags SYN on interface Outside



I am receiving this error for both tcp and icmp traffics. I can ping from 10.0.0.0 network to the outside interface, but I cannot ping/telnet the 192.168.0.0 network. There is an Access-list for tcp traffic. The Hit counter for that is 0. That mean traffic can reach outside interface but cannot access inside interface,,,,


Any clues?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
thomas.chen Wed, 06/06/2007 - 12:33
User Badges:
  • Silver, 250 points or more

This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible TCP_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the PIX Firewall, and it was dropped. The TCP_flags in this packet are FIN and ACK.


The TCP_flags are as follows:


?ACK?The acknowledgment number was received.


?FIN?Data was sent.


?PSH?The receiver passed data to the application.


?RST?The connection was reset.


?SYN?Sequence numbers were synchronized to start a connection.


?URG?The urgent pointer was declared valid.


Try this link:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm#wp1022675



Rodrigo Gurriti Wed, 06/06/2007 - 14:16
User Badges:

"There is an Access-list for tcp traffic. The Hit counter for that is 0. That mean traffic can reach outside interface but cannot access inside interface,,,,"


Remember that outside is less secure then inside therefore you need an access list TO ALLOW outside traffic to inside.


You need to have an access list like this

access-list OUTSIDE_TO_INSIDE extended permit tcp any any


then apply it to outside!


access-group OUTSIDE_TO_INSIDE in interface outside



Then you should have hits on the counters otherwise the access list isnt working


Actions

This Discussion