ASA5505 and Sonicwall 4060 Confusion Frustration

Unanswered Question
Oct 29th, 2009

Ok here is the scenerio. I have a public IP address of x.x.x.x that is nat'd to Traffic is sent from the ISP to which is the WAN side of my Sonicwall. The Sonicwall then sends traffic of to IP which is the Outside Interface of my ASA. Traffic is then supposed to go to which is a server on my DMZ interface of the ASA. Problem, I can see traffic coming in the ASA and being sent out to the Interface, but it never gets to my server. As a test, I can put a laptop on the network and use as its gateway and I can get to the webserver. I'm thinking it has something to do with NAT on the ASA but not for sure. I have suppplied a simple diagram for what I have.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
snickered Thu, 10/29/2009 - 17:54

Sounds like the SonicWall gets the packet destined for and doesn't know what to do with it. Add a static route on the SonicWall for the network is on.

ronald.lawrimore Thu, 10/29/2009 - 18:36

sonicwall log shows that is is pushing traffic out of and that is where is should be going.

snickered Thu, 10/29/2009 - 19:34

It really sounds like a routing problem. As soon as you plug in a laptop that has a default gateway of you can hit your webserver. Check the routing tables on the SonicWall to be sure it knows how to get to You said it reaches So, what happens after that? Another good TS'ing step would be to setup a capture on the interface to see if the traffic is actually getting that far. If it does then see if the traffic reaches the webserver with Wireshark/tcpdump on the webserver. If it does and you see the return traffic trying to go back maybe you don't have the routes setup properly on the ASA. Does the ASA know to get to the internet (default route)? Follow the packet.

Another thing it could be is internet traffic isn't allowed through the ASA. I know you said a laptop with the IP can hit the webserver... maybe you have allowed the network with and not internet traffic. Also, does the SonicWall allow the network with to the internet? It's been a while since I've messed with a SonicWall but I think you'll have to add that as a "trusted source" (or something similar) to allow traffic to pass. Same with the way in. Does the SonicWall allow internet traffic to destination IP

Too many variables. Sell the SonicWall on eBay. ;)

snickered Fri, 10/30/2009 - 22:16

That's a good drawing. Did you happen to get a capture on the interface or webserver? We need to make sure the packet is getting to the ASA or webserver. If it is then we can focus on the ASA.

Also, I don't really understand how your SonicWall knows traffic from 216.x.x.1 is NAT'ed. By the time the SonicWall gets the packet it should already be NAT'ed by the Adtran so, the SonicWall would see a packet that has a source address of the person on the internet making the request and a destination address of It shouldn't see the destination address of 216.x.x.1 if the Adtran is doing the translation. Here's how it would work:

Let's say someone is on the internet with IP address They make a request to your webserver at 216.x.x.1:80. So, the packet would look like:

src: dst: 216.x.x.1:80

(**note, I made up the source IP and port)

Once the Adtran sees the packet it will change the dst address to So, the packet will look like the following when the X1 interface on the SonicWall gets it:

src: dst:

Now, assuming the SonicWall has a route to the network and is allowed to send packets there it will route the packet to E0/7. When E0/7 gets the packet it will look like:

src: dst:

Once E0/7 gets the packet it will see is on a connected interface and send the packet out E0/6 (assuming it is allowed to).

Let's get a capture on the E0/7 interface as well as the webserver and we'll be able to see what's going on a little better.

ronald.lawrimore Tue, 11/03/2009 - 09:38

Ok, I've got my NAT working from the ISP. The Sonicwall is forwarding traffic to like is should. On the ASA I am getting this each time I try to browse to my webserver.

A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number than the SYN that opened the embryonic connection

ronald.lawrimore Wed, 11/04/2009 - 04:39

It looks like it does, but I don't get my webpage. I think this message is because it is a multihomed server. Is there a way to bypass this message for this one server?

ronald.lawrimore Wed, 11/04/2009 - 05:41

Deny TCP (no connection) from to flags SYN ACK on interface inside

snickered Wed, 11/04/2009 - 07:37

Setup a sniffer on your webserver and see if the packet gets to the webserver. I don't know what to do about the error you're getting. To me the error looks like the SYN/ACK packet isn't getting back to the client therefore the client is retransmitting the SYN. Maybe someone else can clarify. At this point we have no idea where it's failing. Setup a sniffer on the webserver. We need to follow the packet to see what's going on.


This Discussion