Packet dropping - confused, help - new to ASA

Unanswered Question
Dec 2nd, 2008
User Badges:

Hi All,

My internal networks are 10.113.0.0/16 subnetted down into variable length networks.

The inside interface is sat on 10.113.66.7/24 with a gateway to the rest of the internal network via a cisco 3750 on 10.113.66.1

I have NAT exempted the internal traffic, and allowed traffic across all internal ports on the ASA, but we still keep getting the following message,

6 Dec 02 2008 15:41:26 106015 10.113.66.10 10.113.79.46 Deny TCP (no connection) from 10.113.66.10/5038 to 10.113.79.46/139 flags RST on interface inside


Very very frustrating.

It is as though the ASA is limited to talking to 1 subnet only because the packet did not originate from the ASA itsel and it is considering this a breach of the normal TCP SYN/ACK rules.

Thoughts?

sh run attached



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
grant.maynard Thu, 12/04/2008 - 15:32
User Badges:
  • Silver, 250 points or more

If I read that right, then the source and destination of that packet are both on the inside of the ASA. Is it possible that the ASA is seeing only half of the 2-way conversation? A stateful firewall will never like that. For that reason it would be best to use the internal router as default gateway for all devices on the ASA's subnet, rather than use the ASA itself.

You can "bounce" traffic off the ASA if you have "same-security-traffic permit intra-interface" but the ASA must see the full connection. This can be awkward to achieve.

Sometimes 106015 messages happen just because the ASA has torn down the connection before one of the hosts has, so this could refer to a connection which is finished as far as the ASA is concerned.

So, set the gateway of 10.113.66.10 to be the router not the ASA.

timmatthews Wed, 12/10/2008 - 08:24
User Badges:

thanks Grant,

The source/destination are on the correct interfaces with the correct security levels - 0 and 100, the only weirdness is the 192.x.x.x and 10.x.x.x - the 192.x.x.x is a BT router on and ADSL circuit, it is doing the NAT for the external ASA interface to a routable address.

I agree with you, the ASA is tearing down the session because it is not seeing the full SYN/ACK - RST sequence and assuming something is amiss. Works fine if there is a single subnet behind the ASA, but not multiple nets.

I will try again using the 3750 on the LAN as the gateway for the ASA, which gives me another unique problem I will not bore you with.....

Actions

This Discussion