Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 5520: Static Route to internal VPN Gateway, TCP Reset-O

Our ASA 5520 is configured as the default gateway on our network, 10.31.0.254/16, we have a separate VPN gateway at 10.31.255.254/16 that connects our school back to other sites in the district. (Normally, that VPN box is the default gateway for the rest of the district, but because of our heavy web traffic and Static NAT requirements we installed an 5520 in parallel to the VPN box.)

The VPN link is up, connects our 10.31.0.0 subnet to the following networks, 10.12.0.0, 10.63.0.0, etc. (Each school's site code). The VPN has a dual NIC, 10.31.255.254 is on the same switch as the Inside interface.

I have the following static routes defined:

route Inside 10.12.0.0 255.255.0.0 10.31.255.254 1

route Inside 10.18.0.0 255.255.0.0 10.31.255.254 1

route Inside 10.61.0.0 255.255.0.0 10.31.255.254 1

route Inside 10.63.0.0 255.255.0.0 10.31.255.254 1

route Inside 10.64.0.0 255.255.0.0 10.31.255.254 1

object-group network DM_INLINE_NETWORK_1

network-object 10.12.0.0 255.255.0.0

network-object 10.18.0.0 255.255.0.0

network-object 10.61.0.0 255.255.0.0

network-object 10.63.0.0 255.255.0.0

network-object 10.64.0.0 255.255.0.0

access-list Outside_access_in extended permit ip any any

access-list Inside_access_in extended permit ip any any

access-list Inside_nat0_outbound extended permit ip any 10.31.224.0 255.255.252.0

access-list Inside_nat0_outbound extended permit ip any 10.31.227.0 255.255.255.240

access-list Inside_nat0_outbound extended permit ip 10.31.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1

I can ping any IP within the defined routes from a workstation, and the packet trace passes in ASDM, but as soon as I try to initiate a session (HTTP, SSH, Telnet) it drops them with the following log entry:

6|Jun 18 2008|15:54:35|302013|[ http://10.31.200.43 ]10.31.200.43|[ http://10.18.0.1 ]10.18.0.1|Built inbound TCP connection 5575385 for Inside:[ http://10.31.200.43/2935 ]10.31.200.43/2935 ([ http://10.31.200.43/2935 ]10.31.200.43/2935) to Inside:[ http://10.18.0.1/25 ]10.18.0.1/25 ([ http://10.18.0.1/25 ]10.18.0.1/25)

6|Jun 18 2008|15:54:35|302014|[ http://10.31.200.43 ]10.31.200.43|[ http://10.18.0.1 ]10.18.0.1|Teardown TCP connection 5575355 for Inside:[ http://10.31.200.43/2935 ]10.31.200.43/2935 to Inside:[ http://10.18.0.1/25 ]10.18.0.1/25 duration 0:00:05 bytes 0 TCP Reset-O

6|Jun 18 2008|15:54:29|302013|[ http://10.31.200.43 ]10.31.200.43|[ http://10.18.0.1 ]10.18.0.1|Built inbound TCP connection 5575355 for Inside:[ http://10.31.200.43/2935 ]10.31.200.43/2935 ([ http://10.31.200.43/2935 ]10.31.200.43/2935) to Inside:[ http://10.18.0.1/25 ]10.18.0.1/25 ([ http://10.18.0.1/25 ]10.18.0.1/25)

6|Jun 18 2008|15:54:28|106015|[ http://10.31.200.43 ]10.31.200.43|[ http://10.18.0.1 ]10.18.0.1|Deny TCP (no connection) from [ http://10.31.200.43/2935 ]10.31.200.43/2935 to [ http://10.18.0.1/25 ]10.18.0.1/25 flags RST  on interface Inside

6|Jun 18 2008|15:54:26|302014|[ http://10.31.200.43 ]10.31.200.43|[ http://10.18.0.1 ]10.18.0.1|Teardown TCP connection 5575326 for Inside:[ http://10.31.200.43/2935 ]10.31.200.43/2935 to Inside:[ http://10.18.0.1/25 ]10.18.0.1/25 duration 0:00:00 bytes 0 TCP Reset-O

6|Jun 18 2008|15:54:26|302013|[ http://10.31.200.43 ]10.31.200.43|[ http://10.18.0.1 ]10.18.0.1|Built inbound TCP connection 5575326 for Inside:[ http://10.31.200.43/2935 ]10.31.200.43/2935 ([ http://10.31.200.43/2935 ]10.31.200.43/2935) to Inside:[ http://10.18.0.1/25 ]10.18.0.1/25 ([ http://10.18.0.1/25 ]10.18.0.1/25)

2 REPLIES
New Member

Re: Cisco ASA 5520: Static Route to internal VPN Gateway, TCP Re

hello,

Do the VPN concentrator route back all traffic destinated to the network 10.31.0.0 255.255.255.0 to the ASA ?

Regards

New Member

Re: Cisco ASA 5520: Static Route to internal VPN Gateway, TCP Re

Hello,

The VPN concentrator should route all traffic destinated to the network 10.31.0.0/16 to the ASA for stateful inspection needs.

I think that your problem is related to that fact.

Regards

1126
Views
0
Helpful
2
Replies