ASA 5550 discard issues

Answered Question
Apr 23rd, 2012

I was getting tcp discards to ouside interface.  I think I fixed that by using the "static (inside, outiside) tcp interface "

as suggested by others.

Then I eventually get a tcp source denied to the outside interface from the upstream router. SO I modify the access-list  to allow the router to the outside interface [ /30 between the hosts]. Then I get a "Deny IP due to land attack"  - I know why .

Anyone have a work around or suggestions ? This is all to get BGP peering across the ASA (v 8.0(4))



I have this problem too.
0 votes
Correct Answer by varrao about 1 year 12 months ago

Can you try this:

ip verify reverse-path interface outside

Let me knoe how it goes,

Here the command ref for it:

Hope that helps,



  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
xayavongp Mon, 04/23/2012 - 19:51

Ok.  Thanks. I'll let you know tomorrow.  Do you know if this is a code thing ?

Here is an example from cisco for peering between two routers. Seems easy enough, except I use /30 on either side of the ASA.

access-list acl-1 permit tcp host host eq bgp
 access-group acl-1 in interface outside
nat (inside) 0 0 0
static (inside,outside) netmask
route outside 1
route inside 1

BUT now to get rid of the tcp discards for bgp I have to do this:

static (inside,outside) tcp interface bgp bgp netmask
nat (inside) 0 0 0


Login or Register to take actions

This Discussion

Posted April 23, 2012 at 9:35 AM
Replies:3 Avg. Rating:5
Views:596 Votes:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446