Inside Network access DMZ Host

Unanswered Question
Jun 23rd, 2008

Hi;

I Have a ASA 5510 on my network, which 3 networks (inside, outside, dmz).

When a dmz host access a inside Host, works ok, but when a inside host try access the dmz host, the following message is displayed on LOG:

Deny TCP (no connection) from hid-dmz/25 to hid-iwss/44674 flags SYN ACK on interface dmz

The static nat:

static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (inside,dmz) 10.40.4.0 10.40.4.0 netmask 255.255.255.0

where:

172.16.1.0/24: DMZ Network

10.40.4.0/24: Inside Network

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Mon, 06/23/2008 - 10:40

You shouldn't need this...

no static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

gilbertojardim Mon, 06/23/2008 - 10:52

even removing this, the problem continues...

all acl's is set to permit traffic...

mohammed_moustafa Tue, 06/24/2008 - 02:02

Hi Dear,

I doubt much that the problem is tha nat translation, error message says no connection this means the TCP SYNC and SYNC/ACK reply are going different pathes so firewall will drop that reply. but to make sure the problem is not in the nat translation use this command:

no nat-control

and remove both the static nat commands

If you can post the configuration of your firewall it will be very helpful.

let me know the results.

B.regards.

Actions

This Discussion