cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
471
Views
0
Helpful
2
Replies

LAN to DMZ access on FWSM

Muhammad Khan
Level 1
Level 1

I have following config on FWSM and it works fine for Internet bound access.

object-group network LAN
network-object 10.1.1.0 255.255.255.0

object-group network DMZ
network-object 192.168.1.0 255.255.255.0

nat (LAN) 1 0.0.0.0 0.0.0.0
global (outside) 1 <Public IP>

access-list CORP_ACL line 7 extended permit tcp object-group LAN any eq www <-- Tied to LAN interface inbound


I am getting following error while trying to access DMZ from LAN:

010-04-22T16:19:14+01:00 FWSM_ABC %FWSM-6-106015: Deny TCP (no connection) from 192.168.1.10/80 to 10.1.1.10/3735 flags SYN ACK on interface DMZ


I wonder it is a NAT issue and following config will fix it?

access-list CORP_ACL line 6 extended permit tcp object-group LAN object-group DMZ object-group LAN2DMZ_PORTS

access-list NOT_O extended permit tcp object-group LAN object-group DMZ object-group LAN2DMZ_PORTS

nat (inside) 0 access-list NAT_O

Thanks in advance.

2 Replies 2

Muhammad Khan
Level 1
Level 1

correction:

Last config line is

nat (LAN) 0 access-list NAT_O

Panos Kampanakis
Cisco Employee
Cisco Employee

It is probably not a nat issue.

Check if your TCP SYN goes from inside to dmz.

The syslog says that I have no connection knowledge about this connection. So the packet from the DMZ that is a response of a SYN packet is dropped.

Check if the SYN is routed through different interfaces in the ASA or if it not hitting the ASA at all.

I hope it helps.

PK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: