in and out from the same interface of ASA

Unanswered Question
Jun 2nd, 2008

please find the attached network setup, and we can connect the server from Internet FW, but not from Internal FW, after troubleshooting, it turned out that the traffic from Internal FW to the server will go to server directly without passing through Internet FW, when the traffic passing back from server, it will go to Internet FW first, since there is no session in the FW, the traffic being denied. in the routing table of the firewall, it shows:

"C is directly connected, DMZ"

and I want the traffic to server show reach the Internet FW first so I add

" route dmz".

but the testing still not successful, can sB. have the solution for it?

by the way, before I added this route, the deny message is :"2 Jun 03 2008 00:29:58 106001 Inbound TCP connection denied from to flags SYN ACK on interface inside"

after I added this route, I got another error msg:

2 Jun 03 2008 00:29:58 106001 Inbound TCP connection denied from to flags SYN on interface inside"

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dave96chi Tue, 06/03/2008 - 01:35

Try this command:

same-security-traffic permit inter-interface

Farrukh Haroon Tue, 06/03/2008 - 01:50

The second error (NAT related), I've already answered on your other post.

The first error can be resolved using two ways:

1) Add a static route on the server like this:

route add mask

Preferably with the -p option to make the static route survive reboots


2) Allow the necessary traffic on the inside interface access-list of the Internet_FW. You might also need to do the same on the 'outside' interface of the Intranet_FW.

Please note the second option is the preferred one.




This Discussion