cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1084
Views
5
Helpful
9
Replies

TCP denied

SpeedLottery
Level 1
Level 1

Hi,

I need to computers (on different VLANS) but pointing to the FW to connect via specific tcp ports.

I'm getting this syslog message.

106015 Deny TCP (no connection) from 192.168.167.64/1433 to 192.168.167.80/1796 flag SYN ACK on internal interface.

Should i add an acl into internal-interface and how?

Thanks.

9 Replies 9

andrew.prince
Level 10
Level 10

Errrm from your post - the traffic is from a device to another device on the same network?

on another network.

the devices are on different switchs and different vlans, but all traficc is routed to internal-interface of FW.

OK - just one question what is device "192.168.165.61"

taken from your firewall config:-

"route internal-interface 192.168.167.0 255.255.255.0 192.168.165.61"

ok,

becouse 192.168.165.0 is the internal network, and there is another network on other switch, which i connected with a crossover cable, and so i configured on that third switch an interface from vlan 1 with this 192.1658.165.61 ip, so that the internal network knows how to reach the 192.168.167.0 network.

OK - here's the thing, what you have done makes no sense, you have multiple layer 3 interfaces on multiple switches, the routing will not be correct or best practise.

What device is handling the vlan to vlan IP routing?

I attach the switches config.

ip routing is enabled in all switches, and ping is ok from hosts on vlan30 to hosts on vlan1 but there are issues like the tcp ports that i dont understand.

that's why i said that if the FW is denying the tcp connection i guess i should allow it somehow.

i just need a host on the 192.168.165.0 to connect via specific tcp ports to another host on the 192.168.167.0 network.

From your configs - All swithches are effectivly routers, ans switches. I can see no order, i.e core, distribution, access switch.

I find it quite surprising that the firewall is seeing a tcp request from 2 machines on vlan30 - as they are in the same broadcast domain and do not need to go thru a layer 3 device.

The fact you have 3 layer 3 interfaces and the firewall interface are routable, means there should be no connectivity issues.

I personally think you should re-think your design.

The machines are on different vlans, 1 and 30.

one has 192.168.167.80

the other 192.168.165.64

Ahh yes - OK here is the quick and dirty fix:-

In the ASA remove the route:-

route internal-interface 192.168.167.0 255.255.255.0 192.168.165.61

replace with:-

route internal-interface 192.168.167.0 255.255.255.0 192.168.165.10

In NS1 add:-

ip route 192.168.167.0 255.255.255.0 192.168.165.61

In NS2 add:-

ip route 192.168.167.0 255.255.255.0 192.168.165.61

But I strongly suggest you change your topology as right now - you have 3 routers, with no logical routing process between them and poor design.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: