Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ADSM deny message help?

Hi,

I am looking at the logs in the ADSM and I get the following set of lines (at the bottom).

What is supposed to be happening is that software on VISTA_CCTV on the inside is to talk to an internal address at 88.88.88.88.

VISTA_CCTV -- [ASA] >>>INTERNET<<<< [88.88.88.88]-- TECH_CCTV

However we are getting the deny message as shown below. The port supposedly used by the software (according to their tech guys) on the box is port 3000. So this has been allowed through on both sites. We seem to be able to get to the site fine through our pix at the other end, but we get the deny message on this ASA 5505. Can you help?

VISTA_CCTV OUTSIDE_IF Teardown dynamic TCP translation from inside:VISTA_CCTV/2272 to outside:OUTSIDE_IF/1055 duration 0:01:00

88.88.88.88 OUTSIDE_IF Deny TCP (no connection) from 88.88.88.88/3000 to OUTSIDE_IF/1055 flags PSH ACK on interface outside

88.88.88.88 VISTA_CCTV Teardown TCP connection 99 for outside:88.88.88.88/3000 to inside:VISTA_CCTV/2272 duration 0:00:40 bytes 263 TCP Reset-I

88.88.88.88 VISTA_CCTV Built outbound TCP connection 99 for outside:88.88.88.88/3000 (88.88.88.88/3000) to inside:VISTA_CCTV/2272 (OUTSIDE_IF/1055)

VISTA_CCTV OUTSIDE_IF Built dynamic TCP translation from inside:VISTA_CCTV/2272 to outside:OUTSIDE_IF/1055

access-list inside extended permit tcp any host OUTSIDE_IF eq 3000

static (inside,outside) tcp interface 3000 VISTA_CCTV 3000 netmask 255.255.255.255

3 REPLIES
Community Member

Re: ADSM deny message help?

The debug shows that the internal box send out a connection to 1055. The return traffic has no PAM rule for that so it's getting dropped..

88.88.88.88 is souricng the traffic form port 3000 and returning the traffic on the source port you initiated 1055. That will never work as state will break on the firewall.

You need to control the source and destination ports or change the way you are doing NAT.

Community Member

Re: ADSM deny message help?

First of all, Thankyou very much for your answer.

Secondly, this was working fine up to about a week ago, so I assume the ports the software is using must have changed as if it was just using port 3000 it should work?

Thanks again.

Community Member

Re: ADSM deny message help?

I would think so.

If they are trying to hit that NATTED address inbound then your rule and Nat rule should work.

Outbound as long as you're trying to get to the box on 3000 that should be ok too.

109
Views
0
Helpful
3
Replies
CreatePlease to create content