08-07-2008 05:56 AM - edited 03-11-2019 06:27 AM
This a little strange. We have a LAN 2 LAN VPN setup and I am getting a message from the ASA saying:
2|Aug 07 2008 08:39:59|106001: Inbound TCP connection denied from xxx.xx.xxx.20/39090 to xx.xx.x.162/23 flags SYN on interface inside
when we try to telnet to the device. They can telnet from their end to our system but I get that type of a message when ever I try anything other than a ping, traceroute gives me a similar error. I am getting hits on the ACL for the tunnel but the traffic is not passing.
And stranger yet is this is an outbound connection and I am getting an inbound connection error.
I also have other connections to this server that are working. I am a little perplexed.
Anyone have any ideas?
08-07-2008 06:40 AM
Are you sure that your NONAT access list on the ASA at your facility is permitting traffic from your local network to the remote network?
08-07-2008 07:01 AM
There is no NONAT acl instead we have a inside_nat0_outbound acl
And this one shows to be setup the same as the 12 LAN to LAN VPNs that are working.
08-07-2008 07:24 AM
Can you post the complete configuration of the ASA that does not work as well as one that does work so the community can review it?
Also, have you tried running the command
same-security-traffic permit intra-interface
08-07-2008 07:58 AM
08-08-2008 06:28 AM
Here is a little more info. The device on the other end is a Watchguard FireBox. I can ping, and trace route(any thing ICMP) but anything TCP or UDP acts like there is no tunnel. I can kill the tunnel and a telnet will bring it up but then it acts like the same as if I try from an address that is not listed in the tunnel.
I remove the all the setting and purged all the ACLS and recreated it from my end to no avail. I am stumped.
Any of this make sense?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide