%ASA-6-106015: Deny TCP (no connection) from coa-dun-web1-front/80 to sol-dun-hobbit1/50692 flags SYN ACK on interface internal-vlan-20
when I try to connect from sol-dun-hobbit1 to coa-dun-web1-front. Now, there is a slight problem in the topology here. This ASA has two sub-interfaces one of which connects to the "front-end IPs" of the web-boxes it is protecting and another to the back-end IPs. Both Front and Back networks are seperate vlans and terminate(gateway is the ASA) only on the ASA. The problem is, when I connect from sol-dun-hobbit (from an outside interface, here the interface is called management) the packet is transmitted out the asa on vlan 10 (on sub-interface = internal-10) and then the reply comes back on a different sub-interface = internal-20. I cannot do anything bout the packet coming in, Im trying to get the ASA to recognise that the reply is part of an earlier connection attempt, which the ASA doesnt seem to be doing.
The Sync never flowed in this direction and the firewall did not have the SYn entry in the table but the SYNACK tries to go through the firewall, this violates the stateful nature of firewall and thus you see this log
There is asymmetric routing thats happening and you need to correct that
I do appreciate that its assymetric routing, at the moment, I have no way to make it symmetric. In checkpoints, you could stop anti-spoofing tests in similar situations. While this is not a spoofing problem, I am tring to find ways to make the ASA relate the connection attempt and reply.
However, I couldnt use this either, I think that was because of license issues.
Anyway, I am now using just plain nat, to fool the webservers so that symmetric routing does take place. This is not ideal (symmetric routing is, but not the nat), however, Ive got no other solution right now.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :