Cisco ASA 5520: Static Route to internal VPN Gateway, TCP Reset-O

Unanswered Question
Jun 19th, 2008
User Badges:

Our ASA 5520 is configured as the default gateway on our network, 10.31.0.254/16, we have a separate VPN gateway at 10.31.255.254/16 that connects our school back to other sites in the district. (Normally, that VPN box is the default gateway for the rest of the district, but because of our heavy web traffic and Static NAT requirements we installed an 5520 in parallel to the VPN box.)


The VPN link is up, connects our 10.31.0.0 subnet to the following networks, 10.12.0.0, 10.63.0.0, etc. (Each school's site code). The VPN has a dual NIC, 10.31.255.254 is on the same switch as the Inside interface.


I have the following static routes defined:

route Inside 10.12.0.0 255.255.0.0 10.31.255.254 1

route Inside 10.18.0.0 255.255.0.0 10.31.255.254 1

route Inside 10.61.0.0 255.255.0.0 10.31.255.254 1

route Inside 10.63.0.0 255.255.0.0 10.31.255.254 1

route Inside 10.64.0.0 255.255.0.0 10.31.255.254 1



object-group network DM_INLINE_NETWORK_1

network-object 10.12.0.0 255.255.0.0

network-object 10.18.0.0 255.255.0.0

network-object 10.61.0.0 255.255.0.0

network-object 10.63.0.0 255.255.0.0

network-object 10.64.0.0 255.255.0.0


access-list Outside_access_in extended permit ip any any

access-list Inside_access_in extended permit ip any any

access-list Inside_nat0_outbound extended permit ip any 10.31.224.0 255.255.252.0

access-list Inside_nat0_outbound extended permit ip any 10.31.227.0 255.255.255.240

access-list Inside_nat0_outbound extended permit ip 10.31.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1


I can ping any IP within the defined routes from a workstation, and the packet trace passes in ASDM, but as soon as I try to initiate a session (HTTP, SSH, Telnet) it drops them with the following log entry:


6|Jun 18 2008|15:54:35|302013|[ http://10.31.200.43 ]10.31.200.43|[ http://10.18.0.1 ]10.18.0.1|Built inbound TCP connection 5575385 for Inside:[ http://10.31.200.43/2935 ]10.31.200.43/2935 ([ http://10.31.200.43/2935 ]10.31.200.43/2935) to Inside:[ http://10.18.0.1/25 ]10.18.0.1/25 ([ http://10.18.0.1/25 ]10.18.0.1/25)

6|Jun 18 2008|15:54:35|302014|[ http://10.31.200.43 ]10.31.200.43|[ http://10.18.0.1 ]10.18.0.1|Teardown TCP connection 5575355 for Inside:[ http://10.31.200.43/2935 ]10.31.200.43/2935 to Inside:[ http://10.18.0.1/25 ]10.18.0.1/25 duration 0:00:05 bytes 0 TCP Reset-O

6|Jun 18 2008|15:54:29|302013|[ http://10.31.200.43 ]10.31.200.43|[ http://10.18.0.1 ]10.18.0.1|Built inbound TCP connection 5575355 for Inside:[ http://10.31.200.43/2935 ]10.31.200.43/2935 ([ http://10.31.200.43/2935 ]10.31.200.43/2935) to Inside:[ http://10.18.0.1/25 ]10.18.0.1/25 ([ http://10.18.0.1/25 ]10.18.0.1/25)

6|Jun 18 2008|15:54:28|106015|[ http://10.31.200.43 ]10.31.200.43|[ http://10.18.0.1 ]10.18.0.1|Deny TCP (no connection) from [ http://10.31.200.43/2935 ]10.31.200.43/2935 to [ http://10.18.0.1/25 ]10.18.0.1/25 flags RST  on interface Inside

6|Jun 18 2008|15:54:26|302014|[ http://10.31.200.43 ]10.31.200.43|[ http://10.18.0.1 ]10.18.0.1|Teardown TCP connection 5575326 for Inside:[ http://10.31.200.43/2935 ]10.31.200.43/2935 to Inside:[ http://10.18.0.1/25 ]10.18.0.1/25 duration 0:00:00 bytes 0 TCP Reset-O

6|Jun 18 2008|15:54:26|302013|[ http://10.31.200.43 ]10.31.200.43|[ http://10.18.0.1 ]10.18.0.1|Built inbound TCP connection 5575326 for Inside:[ http://10.31.200.43/2935 ]10.31.200.43/2935 ([ http://10.31.200.43/2935 ]10.31.200.43/2935) to Inside:[ http://10.18.0.1/25 ]10.18.0.1/25 ([ http://10.18.0.1/25 ]10.18.0.1/25)






Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Amadou TOURE Thu, 06/19/2008 - 12:57
User Badges:

hello,


Do the VPN concentrator route back all traffic destinated to the network 10.31.0.0 255.255.255.0 to the ASA ?


Regards

Amadou TOURE Fri, 06/20/2008 - 07:09
User Badges:

Hello,


The VPN concentrator should route all traffic destinated to the network 10.31.0.0/16 to the ASA for stateful inspection needs.

I think that your problem is related to that fact.


Regards

Actions

This Discussion