ADSM deny message help?

Unanswered Question
Feb 11th, 2009


I am looking at the logs in the ADSM and I get the following set of lines (at the bottom).

What is supposed to be happening is that software on VISTA_CCTV on the inside is to talk to an internal address at


However we are getting the deny message as shown below. The port supposedly used by the software (according to their tech guys) on the box is port 3000. So this has been allowed through on both sites. We seem to be able to get to the site fine through our pix at the other end, but we get the deny message on this ASA 5505. Can you help?

VISTA_CCTV OUTSIDE_IF Teardown dynamic TCP translation from inside:VISTA_CCTV/2272 to outside:OUTSIDE_IF/1055 duration 0:01:00 OUTSIDE_IF Deny TCP (no connection) from to OUTSIDE_IF/1055 flags PSH ACK on interface outside VISTA_CCTV Teardown TCP connection 99 for outside: to inside:VISTA_CCTV/2272 duration 0:00:40 bytes 263 TCP Reset-I VISTA_CCTV Built outbound TCP connection 99 for outside: ( to inside:VISTA_CCTV/2272 (OUTSIDE_IF/1055)

VISTA_CCTV OUTSIDE_IF Built dynamic TCP translation from inside:VISTA_CCTV/2272 to outside:OUTSIDE_IF/1055

access-list inside extended permit tcp any host OUTSIDE_IF eq 3000

static (inside,outside) tcp interface 3000 VISTA_CCTV 3000 netmask

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cdusio Wed, 02/11/2009 - 07:59

The debug shows that the internal box send out a connection to 1055. The return traffic has no PAM rule for that so it's getting dropped.. is souricng the traffic form port 3000 and returning the traffic on the source port you initiated 1055. That will never work as state will break on the firewall.

You need to control the source and destination ports or change the way you are doing NAT.

danparsons Wed, 02/11/2009 - 08:28

First of all, Thankyou very much for your answer.

Secondly, this was working fine up to about a week ago, so I assume the ports the software is using must have changed as if it was just using port 3000 it should work?

Thanks again.

cdusio Wed, 02/11/2009 - 09:16

I would think so.

If they are trying to hit that NATTED address inbound then your rule and Nat rule should work.

Outbound as long as you're trying to get to the box on 3000 that should be ok too.


This Discussion