Problem with established connections in ASA 5540

Unanswered Question
Aug 29th, 2008

Hi all,

I'm having a problem with the established connections through an ASA 5540 firewall.

The scenario contains two interfaces, outside and inside.

I want to allow navigation and ICMP connection from hosts from the inside with a NAT configured public IP on the outside interface, to internet sites.

So, once configured the NAT rule, I configured the security policy to allow ICMP from the outside, and navigation only to the inside hosts I want to allow.

The problem is that I have to create TWO rules instead of one, in order to allow any connections between hosts in the inside and the outside, one from inside host/net to the outside, and the opposite one.

It is supposed that connectivity from interfaces with higher priority to lower priority is allowed, so it should be only neccesary to configure the rule from the lower to the higher priority interface.

Any help will be much appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Fri, 08/29/2008 - 22:51

do u have ur NAT configured properly?


if u put any ACL on ANY interface by default its includ deny any at the end

which is know as implicit deny

so once u put any ACL any think not permited impilcitly will be denied

try to remove the ACL from the inside interface and make sure u have the NAT configured right

then the connection from inside higer sec to outside lower sec will be done

good luck

please, if helpful Rate

jdive Mon, 09/01/2008 - 00:28

If you made your tests with icmp, check that you have inspect icmp enabled. If this is not the case, then the return icmp packets will not be associated with the initial icmp packet and will be dropped.

acotelcom Mon, 09/01/2008 - 04:17

The first at all, thanks in advance.

My configuration is like in a PIX, where i need to open with a ACL the traffic from a minor to a higher level, and a NAT rule from the higher to the minor.

With that configuration, where i let all traffic by IP in the outside interface, i have an entry in the syslog:

%ASA-6-106015: Deny TCP (no connection) from to flags SYN ACK on interface Intranet

That is my principal problem. The ASA don't let me pass the traffic in established comunications.

t4tauseef33 Tue, 09/02/2008 - 07:26

I think you have asymetric communication/routing. This message only appear if there is no connection information in the firewall session table. Do you have any other router or firewall in your network?

acotelcom Tue, 09/02/2008 - 22:27

It's possible that we have asymetric routing in the internet side. Is that a problem? Is a problem for all communications (TCP, UDP) or only to ICMP?

t4tauseef33 Fri, 09/05/2008 - 09:53

yes this is the actual problem. ping works even aysemtric or not. but not any tcp/udp application. If the cisco firewall sends a packet from one side and recieve it from other side, it drops it. you can check your syslog messages, if you are using the asdm then use the debugging mode, you will find the real cause over there.

acotelcom Sun, 09/07/2008 - 23:02

Yes, it's true, but the ping has another problem.

You must open the both side to let work it. If you only open the out rule, it don't work.

nezaket.atakul Wed, 03/14/2012 - 06:09

Hi All,

I have problem with established connections at webvpn. my clients couldn't open pages. they can open main page but couldn't open other url or, they can open main page but couldn't open java applications at that page.

my device have asa 8.4(3) version.

here are logs;

6          Mar 14 2012          14:27:07          725002          y.y.y.y          1093                              Device completed SSL handshake with client Outside:y.y.y.y/1093

7          Mar 14 2012          14:27:07          725012          y.y.y.y          1093                              Device chooses cipher : RC4-SHA for the SSL session with client Outside:y.y.y.y/1093

7          Mar 14 2012          14:27:07          725008          y.y.y.y          1093                              SSL client Outside:y.y.y.y/1093 proposes the following 8 cipher(s).

6          Mar 14 2012          14:27:07          725001          y.y.y.y          1093                              Starting SSL handshake with client Outside:y.y.y.y/1093 for TLSv1 session.

6          Mar 14 2012          14:27:06          725007          y.y.y.y          1034                              SSL session with client Outside:y.y.y.y/1034 terminated.

6          Mar 14 2012          14:27:06          302014          y.y.y.y          1034          x.x.x.x          443          Teardown TCP connection 3223825 for Outside:y.y.y.y/1034 to identity:x.x.x.x/443 duration 0:02:55 bytes 788016 TCP FINs

6          Mar 14 2012          14:27:05          302013          y.y.y.y          1093          x.x.x.x          443          Built inbound TCP connection 3240160 for Outside:y.y.y.y/1093 (y.y.y.y/1093) to identity:x.x.x.x/443 (x.x.x.x/443)

6          Mar 14 2012          14:26:35          302014          y.y.y.y          1036          x.x.x.x          443          Teardown TCP connection 3223832 for Outside:y.y.y.y/1036 to identity:x.x.x.x/443 duration 0:02:24 bytes 2798 Connection timeout

7          Mar 14 2012          14:25:28          710005          y.y.y.y          4976          x.x.x.x          443          TCP request discarded from y.y.y.y/4976 to Outside:x.x.x.x/443

6          Mar 14 2012          14:25:28          106015          y.y.y.y          4976          x.x.x.x          443          Deny TCP (no connection) from y.y.y.y/4976 to x.x.x.x/443 flags ACK  on interface Outside

6          Mar 14 2012          14:25:24          302014          y.y.y.y          4976          x.x.x.x          443          Teardown TCP connection 3217470 for Outside:y.y.y.y/4976 to identity:x.x.x.x/443 duration 0:02:14 bytes 23531 TCP FINs

6          Mar 14 2012          14:25:23          725007          y.y.y.y          4976                              SSL session with client Outside:y.y.y.y/4976 terminated.


This Discussion