Hi,here's the scenario
I have a 5510 as the default gateway for the network, on 188.8.131.52/23
There is another 5510 on the network on 184.108.40.206, this is the gateway for another network 220.127.116.11/23.
There is one host behind the second 5510 at 18.104.22.168.
There is a route in the first 5510 to route traffic to the 22.214.171.124 network to 126.96.36.199. This works (eventually - after doing some stuff with the NAT between the two networks) and I can ping between the hosts 188.8.131.52 and 184.108.40.206 so I know that there is a traffic path. However VNC traffic will not pass - and I get Reset-O in the log.
However, if I put a static route into the client on .19 to route via 220.127.116.11 then the VNC will connect.
I conclude therefore that there are issues with the gateway 5510 on 18.104.22.168 where a rule (or rules) are stopping the traffic passing (even though it should be going into and out of the same interface).
The rules are:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Webmail tcp
port-object eq 32000
object-group network ROP
network-object 22.214.171.124 255.255.254.0
object-group protocol TCPUDP
object-group protocol DM_INLINE_PROTOCOL_1
object-group protocol DM_INLINE_PROTOCOL_2
object-group service VNC tcp
port-object eq 5900
access-list IPSecVPN_splitTunnelAcl standard permit 126.96.36.199 255.255.254.0
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside object-group Webmail
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any log debugging inactive
access-list inside_nat0_outbound extended permit ip 188.8.131.52 255.255.254.0 184.108.40.206 255.255.255.240
access-list nonat extended permit ip 220.127.116.11 255.255.254.0 18.104.22.168 255.255.255.240
access-list nonat extended permit ip 22.214.171.124 255.255.254.0 126.96.36.199 255.255.254.0
access-list inside_nat0_outbound_1 extended permit ip 188.8.131.52 255.255.254.0 184.108.40.206 255.255.255.240
access-list inside_nat0_outbound_2 extended permit ip 220.127.116.11 255.255.254.0 18.104.22.168 255.255.254.0
access-list inside_nat0_outbound_2 extended permit ip 22.214.171.124 255.255.254.0 host 126.96.36.199
access-list inside_access_out extended permit tcp any any object-group VNC
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 0 access-list inside_nat0_outbound_2 outside
nat (inside) 10 188.8.131.52 255.255.254.0
static (inside,outside) tcp interface smtp 184.108.40.206 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 32000 220.127.116.11 32000 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 xxx.46.169.22 10
route inside 18.104.22.168 255.255.255.255 22.214.171.124 1
route inside 126.96.36.199 255.255.254.0 188.8.131.52 1
This 5510 (the gateway one) is also acting as an internet gateway and is working fine in that respect. It is just this problem with traffic routed back into the LAN.
Can anyone see where I need to make any changes?