01-03-2014 03:41 AM - edited 03-07-2019 05:21 PM
I have stumbled across a weird problem on my Cisco ASA 5520 whereby I have two machines on two separate VLANs (management and TransitVLAN) which are able to ping each other but not initiate a tcp connection. I ran a realtime log viewer and could see this when I try to telnet on the RDP port:
6|Jan 03 2014|13:56:18|302014|10.250.1.96|54421|172.16.52.101|3389|Teardown TCP connection 517901803 for management:10.250.1.96/54421 to TransitVlan:172.16.52.101/3389 duration 0:00:00 bytes 0 TCP Reset-O
6|Jan 03 2014|13:56:18|302013|10.250.1.96|54421|172.16.52.101|3389|Built inbound TCP connection 517901803 for management:10.250.1.96/54421 (10.250.1.96/54421) to TransitVlan:172.16.52.101/3389 (172.16.52.101/3389)
6|Jan 03 2014|13:56:16|106015|10.250.1.96|54421|172.16.52.101|3389|Deny TCP (no connection) from 10.250.1.96/54421 to 172.16.52.101/3389 flags RST on interface management
6|Jan 03 2014|13:56:10|302014|10.250.1.96|54421|172.16.52.101|3389|Teardown TCP connection 517901679 for management:10.250.1.96/54421 to TransitVlan:172.16.52.101/3389 duration 0:00:00 bytes 0 TCP Reset-O
6|Jan 03 2014|13:56:10|302013|10.250.1.96|54421|172.16.52.101|3389|Built inbound TCP connection 517901679 for management:10.250.1.96/54421 (10.250.1.96/54421) to TransitVlan:172.16.52.101/3389 (172.16.52.101/3389)
6|Jan 03 2014|13:56:09|106015|10.250.1.96|54421|172.16.52.101|3389|Deny TCP (no connection) from 10.250.1.96/54421 to 172.16.52.101/3389 flags RST on interface management
6|Jan 03 2014|13:56:06|302014|10.250.1.96|54421|172.16.52.101|3389|Teardown TCP connection 517901617 for management:10.250.1.96/54421 to TransitVlan:172.16.52.101/3389 duration 0:00:00 bytes 0 TCP Reset-O
6|Jan 03 2014|13:56:06|302013|10.250.1.96|54421|172.16.52.101|3389|Built inbound TCP connection 517901617 for management:10.250.1.96/54421 (10.250.1.96/54421) to TransitVlan:172.16.52.101/3389 (172.16.52.101/3389)
6|Jan 03 2014|13:56:04|302014|10.250.1.96|54421|172.16.52.101|3389|Teardown TCP connection 517901585 for management:10.250.1.96/54421 to TransitVlan:172.16.52.101/3389 duration 0:00:00 bytes 0 TCP Reset-O
6|Jan 03 2014|13:56:04|302013|10.250.1.96|54421|172.16.52.101|3389|Built inbound TCP connection 517901585 for management:10.250.1.96/54421 (10.250.1.96/54421) to TransitVlan:172.16.52.101/3389 (172.16.52.101/3389)
6|Jan 03 2014|13:56:03|302014|10.250.1.96|54421|172.16.52.101|3389|Teardown TCP connection 517901567 for management:10.250.1.96/54421 to TransitVlan:172.16.52.101/3389 duration 0:00:00 bytes 0 TCP Reset-O
6|Jan 03 2014|13:56:03|302013|10.250.1.96|54421|172.16.52.101|3389|Built inbound TCP connection 517901567 for management:10.250.1.96/54421 (10.250.1.96/54421) to TransitVlan:172.16.52.101/3389 (172.16.52.101/3389)
My config:
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password xyz encrypted
passwd xyz encrypted
dns-guard
!
interface GigabitEthernet0/0
nameif Internet
security-level 0
ip address 200.200.200.225 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet0/1.10
vlan 10
nameif management
security-level 100
ip address 10.250.1.254 255.255.255.0
!
interface GigabitEthernet0/2
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/2.70
vlan 70
nameif TransitVlan
security-level 100
ip address 172.16.70.254 255.255.255.0
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif oob-mgmt
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq 82
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_6 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_9 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_2
network-object host 200.200.200.232
network-object host 200.200.200.233
network-object host 200.200.200.237
network-object host 200.200.200.238
object-group service DM_INLINE_TCP_10 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_6
network-object host 200.200.200.232
network-object host 200.200.200.233
network-object host 200.200.200.237
network-object host 200.200.200.238
object-group service DM_INLINE_TCP_12 tcp
port-object eq www
port-object eq https
object-group service piwi
service-object tcp source eq 989 eq 989
object-group service piwi-ssl
service-object tcp source eq 990 eq 990
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
object-group service http2 tcp
port-object eq 82
object-group service DM_INLINE_TCP_11 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_13 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_14 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_15 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_16 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_17 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_18 tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_19 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_20 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_21 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_3
network-object host 200.200.200.229
network-object host 200.200.200.234
object-group service DM_INLINE_TCP_22 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_4
network-object host 200.200.200.240
network-object host 200.200.200.250
object-group service DM_INLINE_TCP_25 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_23 tcp
port-object eq 3306
port-object eq www
port-object eq https
port-object eq ssh
object-group service DM_INLINE_TCP_24 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_27 tcp
port-object eq 9418
port-object eq www
port-object eq https
port-object eq 8080
port-object eq ssh
object-group network DM_INLINE_NETWORK_8
network-object host 10.250.1.30
object-group service DM_INLINE_TCP_28 tcp
port-object eq 3306
port-object eq 8080
port-object eq 9418
port-object eq www
port-object eq https
port-object eq ssh
object-group service DM_INLINE_TCP_29 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_30 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_31 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list management_nat0_outbound extended permit ip 10.250.1.0 255.255.255.0 10.250.5.0 255.255.255.224
access-list management_nat0_outbound extended permit ip 10.250.2.0 255.255.255.0 10.250.5.0 255.255.255.224
access-list management_nat0_outbound extended permit ip 10.250.3.0 255.255.255.0 10.250.5.0 255.255.255.224
access-list management_nat0_outbound extended permit ip 10.250.4.0 255.255.255.0 10.250.5.0 255.255.255.224
access-list management_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.250.5.0 255.255.255.224
access-list management_nat0_outbound extended permit ip any 10.250.5.0 255.255.255.0
access-list management_nat0_outbound extended permit ip any 10.250.1.0 255.255.255.128
access-list management_nat0_outbound extended permit ip any 10.250.5.0 255.255.255.224
access-list management_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0
access-list mngmnt_lan_access_in extended permit ip any any
access-list All_subnets standard permit 10.250.1.0 255.255.255.0
access-list All_subnets standard permit 10.250.2.0 255.255.255.0
access-list All_subnets standard permit 10.250.3.0 255.255.255.0
access-list All_subnets standard permit 10.250.4.0 255.255.255.0
access-list All_subnets standard permit 192.168.1.0 255.255.255.0
access-list All_subnets standard permit 10.250.0.0 255.255.0.0
access-list All_subnets standard permit 10.0.0.0 255.0.0.0
access-list All_subnets standard permit 172.16.0.0 255.255.0.0
access-list mngmnt_lan_nat0_outbound extended permit ip any 10.250.1.0 255.255.255.0
access-list mngmnt_lan_nat0_outbound extended permit ip any 10.250.2.0 255.255.255.0
access-list mngmnt_lan_nat0_outbound extended permit ip any 10.250.3.0 255.255.255.0
access-list mngmnt_lan_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list mngmnt_lan_nat0_outbound extended permit ip any 10.250.5.0 255.255.255.0
access-list mngmnt_lan_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0 inactive
access-list inside_access_in_1 extended permit ip any any
access-list TransitVlan_nat0_outbound_1 remark access new infra from VPN
access-list TransitVlan_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.0.0 10.250.0.0 255.255.0.0
access-list TransitVlan_nat0_outbound_1 extended permit ip 10.250.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list management_access_in extended permit ip any any
access-list management_nat0_outbound_1 extended permit ip 10.250.1.0 255.255.255.0 10.250.0.0 255.255.255.0
access-list management_nat0_outbound_1 extended permit ip 10.250.1.0 255.255.255.0 10.250.0.0 255.255.0.0
access-list management_nat0_outbound_1 extended permit ip 10.250.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list management_nat0_outbound_1 extended permit ip 10.250.1.0 255.255.255.0 10.250.10.0 255.255.255.0
access-list management_nat0_outbound_1 remark access new infra from management
access-list management_nat0_outbound_1 extended permit ip 10.250.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list management_nat0_outbound_1 remark access new infra from VPN
access-list management_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.0.0 10.250.0.0 255.255.0.0
access-list TransitVlan_access_in extended permit ip any any
access-list TransitVlan_nat0_outbound extended permit ip any any
access-list TransitVlan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.250.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm errors
logging host management 10.250.1.110
mtu Internet 1500
mtu inside 1500
mtu oob-mgmt 1500
mtu VLAN20 1500
mtu live 1500
mtu management 1500
mtu TransitVlan 1500
ip local pool VPNpool 10.250.5.1-10.250.5.20 mask 255.255.255.0
ip verify reverse-path interface Internet
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/3
failover link Failover GigabitEthernet0/3
failover interface ip Failover 10.0.0.1 255.255.255.0 standby 10.0.0.2
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Internet
icmp permit any oob-mgmt
icmp permit any VLAN20
icmp permit any live
icmp permit any management
icmp permit any TransitVlan
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (Internet) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (oob-mgmt) 101 0.0.0.0 0.0.0.0
nat (VLAN20) 101 0.0.0.0 0.0.0.0
nat (live) 101 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound_1
nat (management) 101 0.0.0.0 0.0.0.0
nat (TransitVlan) 0 access-list TransitVlan_nat0_outbound_1
nat (TransitVlan) 101 0.0.0.0 0.0.0.0
access-group management_access_in in interface management
access-group TransitVlan_access_in in interface TransitVlan
route Internet 0.0.0.0 0.0.0.0 200.200.200.254 1
route TransitVlan 172.16.52.0 255.255.255.0 172.16.70.1 1
route TransitVlan 172.16.53.0 255.255.255.0 172.16.70.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp oob-mgmt
sysopt noproxyarp VLAN20
sysopt noproxyarp live
sysopt noproxyarp management
service resetoutside
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xyz
: end
Solved! Go to Solution.
01-04-2014 11:34 PM
Hello James,
Looks like asymetric traffic.
do the following
cap capin interface inside match tcp host 10.250.5.12 host 172.16.52.101 eq 3389
cap capdmz interface management match tcp host 10.250.5.12 host 172.16.52.101 eq 3389
cap asp type asp-drop all circular-buffer
Then and just then try to innitiate a RDP connection(ONLY one please)
After it fails provide
show cap capin
show cap capdmz
show cap asp | include 172.16.52.101
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-03-2014 05:23 AM
and this is the output of the real-time log viewer when i try to initiate remote desktop from my vpn client:
6|Jan 03 2014|14:20:44|302014|10.250.5.12|1403|172.16.52.101|3389|Teardown TCP connection 517929412 for Internet:10.250.5.12/1403 to TransitVlan:172.16.52.101/3389 duration 0:00:30 bytes 0 SYN Timeout
6|Jan 03 2014|14:20:23|106015|172.16.52.101|3389|10.250.5.12|1403|Deny TCP (no connection) from 172.16.52.101/3389 to 10.250.5.12/1403 flags SYN ACK on interface management
6|Jan 03 2014|14:20:17|106015|172.16.52.101|3389|10.250.5.12|1403|Deny TCP (no connection) from 172.16.52.101/3389 to 10.250.5.12/1403 flags SYN ACK on interface management
6|Jan 03 2014|14:20:14|106015|172.16.52.101|3389|10.250.5.12|1403|Deny TCP (no connection) from 172.16.52.101/3389 to 10.250.5.12/1403 flags SYN ACK on interface management
6|Jan 03 2014|14:20:14|302013|10.250.5.12|1403|172.16.52.101|3389|Built inbound TCP connection 517929412 for Internet:10.250.5.12/1403 (10.250.5.12/1403) to TransitVlan:172.16.52.101/3389 (172.16.52.101/3389)
01-04-2014 11:34 PM
Hello James,
Looks like asymetric traffic.
do the following
cap capin interface inside match tcp host 10.250.5.12 host 172.16.52.101 eq 3389
cap capdmz interface management match tcp host 10.250.5.12 host 172.16.52.101 eq 3389
cap asp type asp-drop all circular-buffer
Then and just then try to innitiate a RDP connection(ONLY one please)
After it fails provide
show cap capin
show cap capdmz
show cap asp | include 172.16.52.101
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-07-2014 05:13 PM
Thanks Julio !
01-07-2014 08:55 PM
Hello Arshad,
Sure,
Do you have any other question?? Otherwise mark the question as answered
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-22-2014 01:39 PM
On these hosts the Default gateway is pointing to the ASA?
And the subnet mask is equal to that configured on the ASA's interface?
The ASA is not a router, subnet mismatch (sub/supernetting) is handeld differntly than on router
Sent from Cisco Technical Support iPad App
01-22-2014 01:57 PM
route TransitVlan 172.16.52.0 255.255.255.0 172.16.70.1 1
route TransitVlan 172.16.53.0 255.255.255.0 172.16.70.1 1
Does router 172.16.70.1 knows iT must send data to 10.x.x.x via this ASA?
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide