ASA 5550 discard issues

Answered Question
Apr 23rd, 2012

I was getting tcp discards to ouside interface.  I think I fixed that by using the "static (inside, outiside) tcp interface "

as suggested by others.

Then I eventually get a tcp source denied to the outside interface from the upstream router. SO I modify the access-list  to allow the router to the outside interface [ /30 between the hosts]. Then I get a "Deny IP due to land attack"  - I know why .

Anyone have a work around or suggestions ? This is all to get BGP peering across the ASA (v 8.0(4))

Thanks,

Pete

I have this problem too.
0 votes
Correct Answer by varrao about 1 year 12 months ago

Can you try this:

ip verify reverse-path interface outside

Let me knoe how it goes,

Here the command ref for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1878364

Hope that helps,

Thanks,

Varun

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
xayavongp Mon, 04/23/2012 - 19:51

Ok.  Thanks. I'll let you know tomorrow.  Do you know if this is a code thing ?

Here is an example from cisco for peering between two routers. Seems easy enough, except I use /30 on either side of the ASA.

access-list acl-1 permit tcp host 172.16.13.4 host 172.16.11.1 eq bgp
 access-group acl-1 in interface outside
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.16.11.1 172.16.11.1 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 172.16.12.2 1
route inside 192.168.10.0 255.255.255.0 172.16.11.1 1

BUT now to get rid of the tcp discards for bgp I have to do this:

static (inside,outside) tcp interface bgp 172.16.11.1 bgp netmask 255.255.255.255
nat (inside) 0 0.0.0.0 0.0.0.0 0 0

Actions

Login or Register to take actions

This Discussion

Posted April 23, 2012 at 9:35 AM
Stats:
Replies:3 Avg. Rating:5
Views:596 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446