04-22-2010 09:23 AM - edited 03-11-2019 10:36 AM
I have following config on FWSM and it works fine for Internet bound access.
object-group network LAN
network-object 10.1.1.0 255.255.255.0
object-group network DMZ
network-object 192.168.1.0 255.255.255.0
nat (LAN) 1 0.0.0.0 0.0.0.0
global (outside) 1 <Public IP>
access-list CORP_ACL line 7 extended permit tcp object-group LAN any eq www <-- Tied to LAN interface inbound
I am getting following error while trying to access DMZ from LAN:
010-04-22T16:19:14+01:00 FWSM_ABC %FWSM-6-106015: Deny TCP (no connection) from 192.168.1.10/80 to 10.1.1.10/3735 flags SYN ACK on interface DMZ
I wonder it is a NAT issue and following config will fix it?
access-list CORP_ACL line 6 extended permit tcp object-group LAN object-group DMZ object-group LAN2DMZ_PORTS
access-list NOT_O extended permit tcp object-group LAN object-group DMZ object-group LAN2DMZ_PORTS
nat (inside) 0 access-list NAT_O
Thanks in advance.
04-22-2010 09:24 AM
correction:
Last config line is
nat (LAN) 0 access-list NAT_O
04-22-2010 02:18 PM
It is probably not a nat issue.
Check if your TCP SYN goes from inside to dmz.
The syslog says that I have no connection knowledge about this connection. So the packet from the DMZ that is a response of a SYN packet is dropped.
Check if the SYN is routed through different interfaces in the ASA or if it not hitting the ASA at all.
I hope it helps.
PK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: