Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5550 discard issues

I was getting tcp discards to ouside interface.  I think I fixed that by using the "static (inside, outiside) tcp interface "

as suggested by others.

Then I eventually get a tcp source denied to the outside interface from the upstream router. SO I modify the access-list  to allow the router to the outside interface [ /30 between the hosts]. Then I get a "Deny IP due to land attack"  - I know why .

Anyone have a work around or suggestions ? This is all to get BGP peering across the ASA (v 8.0(4))

Thanks,

Pete

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Red

ASA 5550 discard issues

Can you try this:

ip verify reverse-path interface outside

Let me knoe how it goes,

Here the command ref for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1878364

Hope that helps,

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
3 REPLIES
Red

ASA 5550 discard issues

Can you try this:

ip verify reverse-path interface outside

Let me knoe how it goes,

Here the command ref for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1878364

Hope that helps,

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA 5550 discard issues

Ok.  Thanks. I'll let you know tomorrow.  Do you know if this is a code thing ?

Here is an example from cisco for peering between two routers. Seems easy enough, except I use /30 on either side of the ASA.

access-list acl-1 permit tcp host 172.16.13.4 host 172.16.11.1 eq bgp
 access-group acl-1 in interface outside
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.16.11.1 172.16.11.1 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 172.16.12.2 1
route inside 192.168.10.0 255.255.255.0 172.16.11.1 1

BUT now to get rid of the tcp discards for bgp I have to do this:

static (inside,outside) tcp interface bgp 172.16.11.1 bgp netmask 255.255.255.255
nat (inside) 0 0.0.0.0 0.0.0.0 0 0

New Member

ASA 5550 discard issues

That did it. Thanks!

666
Views
0
Helpful
3
Replies
CreatePlease to create content