×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5505 Inside-to-Inside Deny TCP Connections...

Answered Question
Apr 7th, 2009
User Badges:

All,

Having a problem and need asssistance. I have a 5505 that I have two systems attempting to communicate with each other via one VLAN interface on the ASA. The systems can ping each other but when they attempt to do TCP connections between them (Ex. RDP) it fails. In the log, it shows this:


%ASA-6-106015: Deny TCP (no connection) from 172.26.0.23/3389 to 192.168.1.2/1141 flags RST ACK on interface inside


Packet tracer works fine everytime.


Sanatized config attached


Any ideas?




Attachment: 
Correct Answer by roshan.maskey about 8 years 4 months ago

Hi,


Seeing you configuration,I could see these settings.


1. inside (vlan1): 172.26.0.0/24

2. dmz(vlan3): 192.168.1.64/26

3. asa-inside ip: 172.26.0.1

3. router-ip: 172.26.0.11

4. network behind router: 192.168.1.0/28


Now, Let me explain what is happening:

1. U initiate RDP from host 1.2 to host 0.23

2. router sends the traffic to host 0.23 via interface 0.11

3. host 0.23 sends reply via its default gateway 0.1

4. ASA checks the TCP header and have ACK flag set.

5. ASA tries to find an connection slot, for established connection

6. No established connection is found and ASA can not create new conn slot, coz it is ACK packet not SYN, so drops the packet.


Resolution to problem:

Try setting your default gateway on host 0.23 to 0.11, that might work. If it didn't, set your host computers in separate zone either connected to ASA or Router.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
andrew.prince@m... Wed, 04/08/2009 - 00:57
User Badges:
  • Green, 3000 points or more

The ASA is not a layer 3 router, the ASA will not allow/process packets to be received and then sent out the same interface when the IP subnets are not the same.


Solution - either move a IP subnet into another interface of the ASA or use a router.


HTH>

acomiskey Wed, 04/08/2009 - 04:38
User Badges:
  • Green, 3000 points or more

Appears he is going from the inside to the dmz.


Try this...


no access-list nat_exclusion extended permit ip host 192.168.1.2 host 172.26.0.23

UCcomp2007 Wed, 04/08/2009 - 04:41
User Badges:

Also do you have the security plus license for 5505? Without it, your DMZ and Inside zones will not be able talk (ping yes, but nothing else).


Regards,

Correct Answer
roshan.maskey Wed, 04/08/2009 - 11:51
User Badges:

Hi,


Seeing you configuration,I could see these settings.


1. inside (vlan1): 172.26.0.0/24

2. dmz(vlan3): 192.168.1.64/26

3. asa-inside ip: 172.26.0.1

3. router-ip: 172.26.0.11

4. network behind router: 192.168.1.0/28


Now, Let me explain what is happening:

1. U initiate RDP from host 1.2 to host 0.23

2. router sends the traffic to host 0.23 via interface 0.11

3. host 0.23 sends reply via its default gateway 0.1

4. ASA checks the TCP header and have ACK flag set.

5. ASA tries to find an connection slot, for established connection

6. No established connection is found and ASA can not create new conn slot, coz it is ACK packet not SYN, so drops the packet.


Resolution to problem:

Try setting your default gateway on host 0.23 to 0.11, that might work. If it didn't, set your host computers in separate zone either connected to ASA or Router.


lrm001c474 Thu, 04/09/2009 - 18:43
User Badges:

Roshan, you got it. I set a host specific static route on the 0.23 for the 192.168.1.2 with a NH of 172.26.0.11 and it worked.


Nice catch.

Actions

This Discussion