I have stumbled across a weird problem on my Cisco ASA 5520 whereby I have two machines on two separate VLANs (management and TransitVLAN) which are able to ping each other but not initiate a tcp connection. I ran a realtime log viewer and could see this when I try to telnet on the RDP port:

6|Jan 03 2014|13:56:18|302014|10.250.1.96|54421|172.16.52.101|3389|Teardown TCP connection 517901803 for management:10.250.1.96/54421 to TransitVlan:172.16.52.101/3389 duration 0:00:00 bytes 0 TCP Reset-O

6|Jan 03 2014|13:56:18|302013|10.250.1.96|54421|172.16.52.101|3389|Built inbound TCP connection 517901803 for management:10.250.1.96/54421 (10.250.1.96/54421) to TransitVlan:172.16.52.101/3389 (172.16.52.101/3389)

6|Jan 03 2014|13:56:16|106015|10.250.1.96|54421|172.16.52.101|3389|Deny TCP (no connection) from 10.250.1.96/54421 to 172.16.52.101/3389 flags RST  on interface management

6|Jan 03 2014|13:56:10|302014|10.250.1.96|54421|172.16.52.101|3389|Teardown TCP connection 517901679 for management:10.250.1.96/54421 to TransitVlan:172.16.52.101/3389 duration 0:00:00 bytes 0 TCP Reset-O

6|Jan 03 2014|13:56:10|302013|10.250.1.96|54421|172.16.52.101|3389|Built inbound TCP connection 517901679 for management:10.250.1.96/54421 (10.250.1.96/54421) to TransitVlan:172.16.52.101/3389 (172.16.52.101/3389)

6|Jan 03 2014|13:56:09|106015|10.250.1.96|54421|172.16.52.101|3389|Deny TCP (no connection) from 10.250.1.96/54421 to 172.16.52.101/3389 flags RST  on interface management

6|Jan 03 2014|13:56:06|302014|10.250.1.96|54421|172.16.52.101|3389|Teardown TCP connection 517901617 for management:10.250.1.96/54421 to TransitVlan:172.16.52.101/3389 duration 0:00:00 bytes 0 TCP Reset-O

6|Jan 03 2014|13:56:06|302013|10.250.1.96|54421|172.16.52.101|3389|Built inbound TCP connection 517901617 for management:10.250.1.96/54421 (10.250.1.96/54421) to TransitVlan:172.16.52.101/3389 (172.16.52.101/3389)

6|Jan 03 2014|13:56:04|302014|10.250.1.96|54421|172.16.52.101|3389|Teardown TCP connection 517901585 for management:10.250.1.96/54421 to TransitVlan:172.16.52.101/3389 duration 0:00:00 bytes 0 TCP Reset-O

6|Jan 03 2014|13:56:04|302013|10.250.1.96|54421|172.16.52.101|3389|Built inbound TCP connection 517901585 for management:10.250.1.96/54421 (10.250.1.96/54421) to TransitVlan:172.16.52.101/3389 (172.16.52.101/3389)

6|Jan 03 2014|13:56:03|302014|10.250.1.96|54421|172.16.52.101|3389|Teardown TCP connection 517901567 for management:10.250.1.96/54421 to TransitVlan:172.16.52.101/3389 duration 0:00:00 bytes 0 TCP Reset-O

6|Jan 03 2014|13:56:03|302013|10.250.1.96|54421|172.16.52.101|3389|Built inbound TCP connection 517901567 for management:10.250.1.96/54421 (10.250.1.96/54421) to TransitVlan:172.16.52.101/3389 (172.16.52.101/3389)

My config:

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

enable password xyz encrypted

passwd xyz encrypted

dns-guard

!

interface GigabitEthernet0/0

nameif Internet

security-level 0

ip address 200.200.200.225 255.255.255.224

!

interface GigabitEthernet0/1

nameif inside

security-level 100

no ip address

!

interface GigabitEthernet0/1.10

vlan 10

nameif management

security-level 100

ip address 10.250.1.254 255.255.255.0

!

interface GigabitEthernet0/2

no nameif

security-level 100

no ip address

!

interface GigabitEthernet0/2.70

vlan 70

nameif TransitVlan

security-level 100

ip address 172.16.70.254 255.255.255.0

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

nameif oob-mgmt

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

port-object eq 82

object-group service DM_INLINE_TCP_5 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_6 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_4 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_9 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_2

network-object host 200.200.200.232

network-object host 200.200.200.233

network-object host 200.200.200.237

network-object host 200.200.200.238

object-group service DM_INLINE_TCP_10 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_6

network-object host 200.200.200.232

network-object host 200.200.200.233

network-object host 200.200.200.237

network-object host 200.200.200.238

object-group service DM_INLINE_TCP_12 tcp

port-object eq www

port-object eq https

object-group service piwi

service-object tcp source eq 989 eq 989

object-group service piwi-ssl

service-object tcp source eq 990 eq 990

object-group service DM_INLINE_TCP_0 tcp

port-object eq www

port-object eq https

object-group service http2 tcp

port-object eq 82

object-group service DM_INLINE_TCP_11 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_13 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_14 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_15 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_16 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_17 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_18 tcp

port-object eq www

port-object eq https

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_19 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_20 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_21 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_3

network-object host 200.200.200.229

network-object host 200.200.200.234

object-group service DM_INLINE_TCP_22 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_4

network-object host 200.200.200.240

network-object host 200.200.200.250

object-group service DM_INLINE_TCP_25 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_23 tcp

port-object eq 3306

port-object eq www

port-object eq https

port-object eq ssh

object-group service DM_INLINE_TCP_24 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_27 tcp

port-object eq 9418

port-object eq www

port-object eq https

port-object eq 8080

port-object eq ssh

object-group network DM_INLINE_NETWORK_8

network-object host 10.250.1.30

object-group service DM_INLINE_TCP_28 tcp

port-object eq 3306

port-object eq 8080

port-object eq 9418

port-object eq www

port-object eq https

port-object eq ssh

object-group service DM_INLINE_TCP_29 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_30 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_31 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

access-list management_nat0_outbound extended permit ip 10.250.1.0 255.255.255.0 10.250.5.0 255.255.255.224

access-list management_nat0_outbound extended permit ip 10.250.2.0 255.255.255.0 10.250.5.0 255.255.255.224

access-list management_nat0_outbound extended permit ip 10.250.3.0 255.255.255.0 10.250.5.0 255.255.255.224

access-list management_nat0_outbound extended permit ip 10.250.4.0 255.255.255.0 10.250.5.0 255.255.255.224

access-list management_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.250.5.0 255.255.255.224

access-list management_nat0_outbound extended permit ip any 10.250.5.0 255.255.255.0

access-list management_nat0_outbound extended permit ip any 10.250.1.0 255.255.255.128

access-list management_nat0_outbound extended permit ip any 10.250.5.0 255.255.255.224

access-list management_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0 

access-list mngmnt_lan_access_in extended permit ip any any

access-list All_subnets standard permit 10.250.1.0 255.255.255.0

access-list All_subnets standard permit 10.250.2.0 255.255.255.0

access-list All_subnets standard permit 10.250.3.0 255.255.255.0

access-list All_subnets standard permit 10.250.4.0 255.255.255.0

access-list All_subnets standard permit 192.168.1.0 255.255.255.0

access-list All_subnets standard permit 10.250.0.0 255.255.0.0

access-list All_subnets standard permit 10.0.0.0 255.0.0.0

access-list All_subnets standard permit 172.16.0.0 255.255.0.0

access-list mngmnt_lan_nat0_outbound extended permit ip any 10.250.1.0 255.255.255.0

access-list mngmnt_lan_nat0_outbound extended permit ip any 10.250.2.0 255.255.255.0

access-list mngmnt_lan_nat0_outbound extended permit ip any 10.250.3.0 255.255.255.0

access-list mngmnt_lan_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

access-list mngmnt_lan_nat0_outbound extended permit ip any 10.250.5.0 255.255.255.0

access-list mngmnt_lan_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0 inactive

access-list inside_access_in_1 extended permit ip any any

access-list TransitVlan_nat0_outbound_1 remark access new infra from VPN

access-list TransitVlan_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.0.0 10.250.0.0 255.255.0.0

access-list TransitVlan_nat0_outbound_1 extended permit ip 10.250.0.0 255.255.0.0 172.16.0.0 255.255.0.0

access-list management_access_in extended permit ip any any

access-list management_nat0_outbound_1 extended permit ip 10.250.1.0 255.255.255.0 10.250.0.0 255.255.255.0

access-list management_nat0_outbound_1 extended permit ip 10.250.1.0 255.255.255.0 10.250.0.0 255.255.0.0

access-list management_nat0_outbound_1 extended permit ip 10.250.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list management_nat0_outbound_1 extended permit ip 10.250.1.0 255.255.255.0 10.250.10.0 255.255.255.0

access-list management_nat0_outbound_1 remark access new infra from management

access-list management_nat0_outbound_1 extended permit ip 10.250.0.0 255.255.0.0 172.16.0.0 255.255.0.0

access-list management_nat0_outbound_1 remark access new infra from VPN

access-list management_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.0.0 10.250.0.0 255.255.0.0

access-list TransitVlan_access_in extended permit ip any any

access-list TransitVlan_nat0_outbound extended permit ip any any

access-list TransitVlan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.250.0.0 255.255.0.0

pager lines 24

logging enable

logging asdm errors

logging host management 10.250.1.110

mtu Internet 1500

mtu inside 1500

mtu oob-mgmt 1500

mtu VLAN20 1500

mtu live 1500

mtu management 1500

mtu TransitVlan 1500

ip local pool VPNpool 10.250.5.1-10.250.5.20 mask 255.255.255.0

ip verify reverse-path interface Internet

failover

failover lan unit primary

failover lan interface Failover GigabitEthernet0/3

failover link Failover GigabitEthernet0/3

failover interface ip Failover 10.0.0.1 255.255.255.0 standby 10.0.0.2

monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Internet

icmp permit any oob-mgmt

icmp permit any VLAN20

icmp permit any live

icmp permit any management

icmp permit any TransitVlan

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (Internet) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

nat (oob-mgmt) 101 0.0.0.0 0.0.0.0

nat (VLAN20) 101 0.0.0.0 0.0.0.0

nat (live) 101 0.0.0.0 0.0.0.0

nat (management) 0 access-list management_nat0_outbound_1

nat (management) 101 0.0.0.0 0.0.0.0

nat (TransitVlan) 0 access-list TransitVlan_nat0_outbound_1

nat (TransitVlan) 101 0.0.0.0 0.0.0.0

access-group management_access_in in interface management

access-group TransitVlan_access_in in interface TransitVlan

route Internet 0.0.0.0 0.0.0.0 200.200.200.254 1

route TransitVlan 172.16.52.0 255.255.255.0 172.16.70.1 1

route TransitVlan 172.16.53.0 255.255.255.0 172.16.70.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

sysopt noproxyarp oob-mgmt

sysopt noproxyarp VLAN20

sysopt noproxyarp live

sysopt noproxyarp management

service resetoutside

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xyz

: end