LAN to DMZ access on FWSM

Unanswered Question
Apr 22nd, 2010
User Badges:

I have following config on FWSM and it works fine for Internet bound access.


object-group network LAN
network-object 10.1.1.0 255.255.255.0


object-group network DMZ
network-object 192.168.1.0 255.255.255.0


nat (LAN) 1 0.0.0.0 0.0.0.0
global (outside) 1 <Public IP>


access-list CORP_ACL line 7 extended permit tcp object-group LAN any eq www <-- Tied to LAN interface inbound


I am getting following error while trying to access DMZ from LAN:


010-04-22T16:19:14+01:00 FWSM_ABC %FWSM-6-106015: Deny TCP (no connection) from 192.168.1.10/80 to 10.1.1.10/3735 flags SYN ACK on interface DMZ


I wonder it is a NAT issue and following config will fix it?


access-list CORP_ACL line 6 extended permit tcp object-group LAN object-group DMZ object-group LAN2DMZ_PORTS


access-list NOT_O extended permit tcp object-group LAN object-group DMZ object-group LAN2DMZ_PORTS


nat (inside) 0 access-list NAT_O


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Thu, 04/22/2010 - 14:18
User Badges:
  • Cisco Employee,

It is probably not a nat issue.


Check if your TCP SYN goes from inside to dmz.


The syslog says that I have no connection knowledge about this connection. So the packet from the DMZ that is a response of a SYN packet is dropped.

Check if the SYN is routed through different interfaces in the ASA or if it not hitting the ASA at all.


I hope it helps.


PK

Actions

This Discussion