ASA 5505 Inside-to-Inside Deny TCP Connections...

Answered Question
Apr 7th, 2009

All,

Having a problem and need asssistance. I have a 5505 that I have two systems attempting to communicate with each other via one VLAN interface on the ASA. The systems can ping each other but when they attempt to do TCP connections between them (Ex. RDP) it fails. In the log, it shows this:

%ASA-6-106015: Deny TCP (no connection) from 172.26.0.23/3389 to 192.168.1.2/1141 flags RST ACK on interface inside

Packet tracer works fine everytime.

Sanatized config attached

Any ideas?

Attachment: 
I have this problem too.
0 votes
Correct Answer by roshan.maskey about 7 years 7 months ago

Hi,

Seeing you configuration,I could see these settings.

1. inside (vlan1): 172.26.0.0/24

2. dmz(vlan3): 192.168.1.64/26

3. asa-inside ip: 172.26.0.1

3. router-ip: 172.26.0.11

4. network behind router: 192.168.1.0/28

Now, Let me explain what is happening:

1. U initiate RDP from host 1.2 to host 0.23

2. router sends the traffic to host 0.23 via interface 0.11

3. host 0.23 sends reply via its default gateway 0.1

4. ASA checks the TCP header and have ACK flag set.

5. ASA tries to find an connection slot, for established connection

6. No established connection is found and ASA can not create new conn slot, coz it is ACK packet not SYN, so drops the packet.

Resolution to problem:

Try setting your default gateway on host 0.23 to 0.11, that might work. If it didn't, set your host computers in separate zone either connected to ASA or Router.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Wed, 04/08/2009 - 04:38

Appears he is going from the inside to the dmz.

Try this...

no access-list nat_exclusion extended permit ip host 192.168.1.2 host 172.26.0.23

UCcomp2007 Wed, 04/08/2009 - 04:41

Also do you have the security plus license for 5505? Without it, your DMZ and Inside zones will not be able talk (ping yes, but nothing else).

Regards,

Correct Answer
roshan.maskey Wed, 04/08/2009 - 11:51

Hi,

Seeing you configuration,I could see these settings.

1. inside (vlan1): 172.26.0.0/24

2. dmz(vlan3): 192.168.1.64/26

3. asa-inside ip: 172.26.0.1

3. router-ip: 172.26.0.11

4. network behind router: 192.168.1.0/28

Now, Let me explain what is happening:

1. U initiate RDP from host 1.2 to host 0.23

2. router sends the traffic to host 0.23 via interface 0.11

3. host 0.23 sends reply via its default gateway 0.1

4. ASA checks the TCP header and have ACK flag set.

5. ASA tries to find an connection slot, for established connection

6. No established connection is found and ASA can not create new conn slot, coz it is ACK packet not SYN, so drops the packet.

Resolution to problem:

Try setting your default gateway on host 0.23 to 0.11, that might work. If it didn't, set your host computers in separate zone either connected to ASA or Router.

lrm001c474 Thu, 04/09/2009 - 18:43

Roshan, you got it. I set a host specific static route on the 0.23 for the 192.168.1.2 with a NH of 172.26.0.11 and it worked.

Nice catch.

Actions

This Discussion