TCP denied

Unanswered Question
Feb 18th, 2009

Hi,

I need to computers (on different VLANS) but pointing to the FW to connect via specific tcp ports.

I'm getting this syslog message.

106015 Deny TCP (no connection) from 192.168.167.64/1433 to 192.168.167.80/1796 flag SYN ACK on internal interface.

Should i add an acl into internal-interface and how?

Thanks.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
SpeedLottery Wed, 02/18/2009 - 06:31

on another network.

the devices are on different switchs and different vlans, but all traficc is routed to internal-interface of FW.

SpeedLottery Wed, 02/18/2009 - 06:56

ok,

becouse 192.168.165.0 is the internal network, and there is another network on other switch, which i connected with a crossover cable, and so i configured on that third switch an interface from vlan 1 with this 192.1658.165.61 ip, so that the internal network knows how to reach the 192.168.167.0 network.

SpeedLottery Wed, 02/18/2009 - 07:17

I attach the switches config.

ip routing is enabled in all switches, and ping is ok from hosts on vlan30 to hosts on vlan1 but there are issues like the tcp ports that i dont understand.

that's why i said that if the FW is denying the tcp connection i guess i should allow it somehow.

i just need a host on the 192.168.165.0 to connect via specific tcp ports to another host on the 192.168.167.0 network.

Attachment: 

From your configs - All swithches are effectivly routers, ans switches. I can see no order, i.e core, distribution, access switch.

I find it quite surprising that the firewall is seeing a tcp request from 2 machines on vlan30 - as they are in the same broadcast domain and do not need to go thru a layer 3 device.

The fact you have 3 layer 3 interfaces and the firewall interface are routable, means there should be no connectivity issues.

I personally think you should re-think your design.

SpeedLottery Wed, 02/18/2009 - 07:52

The machines are on different vlans, 1 and 30.

one has 192.168.167.80

the other 192.168.165.64

Ahh yes - OK here is the quick and dirty fix:-

In the ASA remove the route:-

route internal-interface 192.168.167.0 255.255.255.0 192.168.165.61

replace with:-

route internal-interface 192.168.167.0 255.255.255.0 192.168.165.10

In NS1 add:-

ip route 192.168.167.0 255.255.255.0 192.168.165.61

In NS2 add:-

ip route 192.168.167.0 255.255.255.0 192.168.165.61

But I strongly suggest you change your topology as right now - you have 3 routers, with no logical routing process between them and poor design.

Actions

This Discussion