Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA-3-106001: Inbound TCP connection denied from flags SYN

Hi all, I need some help

I have 2 cisco routers that resired on the same interface on Cisco ASA. For security reasons, on both of the routers I have configured default gateway to be ASA interface, then static route between them on the ASA, I get the following error when on station comming from first router trying to connect to another station behind secound router (again, on the same interface, maybe this is the issue?).

ASA-3-106001: Inbound TCP connection denied from flags SYN

There is access list allowing traffic between but hit count is 0

Please help, it's kinda urgent

Regards

  • Firewalling
Everyone's tags (6)
4 REPLIES
Red

ASA-3-106001: Inbound TCP connection denied from flags SYN

Can you share a brief topology and your configuration from the ASA?

Here's teh maening of the log:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4768860

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA-3-106001: Inbound TCP connection denied from flags SYN

Yes, I allready readed that, but it is not clear for me. Well, like I sad, 2 cisco routers on the same ASA interface, both routeres defalut gateway is ASA interface (the same). I have statis route to both of them on the ASA to know were it resides. What part of the ASA configuration do you need?

Can the problem be that the incoming packet that ASA recieves need to be send on the same interface that was recieved maybe? This kind of log I have never seen before...

Thanx in advance

Red

ASA-3-106001: Inbound TCP connection denied from flags SYN

You might just need to configure u-turning on the ASA, since both the routers are on the same interface, can you try the following:

nat (inside) 10 0.0.0.0 0.0.0.0

global (inside) 10 interface

same-security-traffic permit intra-interface

sysopt noproxyarp inside

If it still does not work, I would need the running-config from the ASA. The above configuration is keeping in mind that both teh routers are behiond the inside interafce, if it is some other interface, kindly change the interafce name in teh nat & sysopt command.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
VIP Purple

ASA-3-106001: Inbound TCP connection denied from flags SYN

The ASA is not the right device for hairpinning as you need to make sure that the ASA sees both ways of the connection.

There are two better ways to solve that problem:

1) Route directly from router1 to router2 and back for the traffic that needs to go to the other router. The ASA is not touched at all. If you want to firewall that traffic you could go for staefull inspection on the router.

2) The traffic has to go through the firewall. Then both routers should reside on different firewall-interfaces. You could implement that with VLANs and subinterfaces on the ASA so that there is no recabling needed.

There is a third way to achieve that, but I wouldn't recommend that:

3) Disable statefull inspection for that traffic on the ASA with the help of MPF.

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
17851
Views
0
Helpful
4
Replies
This widget could not be displayed.