Solved: ASA 5550 discard issues

xayavongp · ‎04-23-2012

I was getting tcp discards to ouside interface. I think I fixed that by using the "static (inside, outiside) tcp interface "

as suggested by others.

Then I eventually get a tcp source denied to the outside interface from the upstream router. SO I modify the access-list to allow the router to the outside interface [ /30 between the hosts]. Then I get a "Deny IP due to land attack" - I know why .

Anyone have a work around or suggestions ? This is all to get BGP peering across the ASA (v 8.0(4))

Thanks,

Pete

varrao · ‎04-23-2012

Can you try this:

ip verify reverse-path interface outside

Let me knoe how it goes,

Here the command ref for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1878364

Hope that helps,

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎04-23-2012

Can you try this:

ip verify reverse-path interface outside

Let me knoe how it goes,

Here the command ref for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1878364

Hope that helps,

Thanks,

Varun

Thanks,
Varun Rao

xayavongp · ‎04-23-2012

Ok. Thanks. I'll let you know tomorrow. Do you know if this is a code thing ?

Here is an example from cisco for peering between two routers. Seems easy enough, except I use /30 on either side of the ASA.

access-list acl-1 permit tcp host 172.16.13.4 host 172.16.11.1 eq bgp
 access-group acl-1 in interface outside
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.16.11.1 172.16.11.1 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 172.16.12.2 1
route inside 192.168.10.0 255.255.255.0 172.16.11.1 1

BUT now to get rid of the tcp discards for bgp I have to do this:

static (inside,outside) tcp interface bgp 172.16.11.1 bgp netmask 255.255.255.255
nat (inside) 0 0.0.0.0 0.0.0.0 0 0

xayavongp · ‎04-24-2012

That did it. Thanks!