Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Deny TCP (no connection) syn ack when source host is remote

Cisco ASA 5510 ASA 8.0(4) ASDM 6.1(5), with inside, outside, and DMZ interfaces.  An inside host is dynamically NATted to the outside to browse.  I've added an inside router with 2 ethernet interaces, to work with subnetting the inside network.  A host on the remote subnet can ping a host on the outside, but trying to browse to the outside as INSIDE HOST does gets an error "Deny TCP (no connection) from outside-host/80 to inside-host/port flags SYN ACK on interface inside"  In the drawing my remote host, a router away from the ASA firewall, can PING the Public HOST.  Public Host sees the ASA Public IP because dynamic NAT is applied.  Remote Host has default gateway  Router has IP ROUTE  ASA has IP ROUTE  INSIDE HOST browses out successfully.

I did packet traces.  INSIDE HOST trace has SYN packet Inside Host to Destination; SYN ACK packet Destination to Inside Host; ACK packet Inside Host to Destination.  REMOTE HOST trace shows only SYN, ACK packets from Destination to Remote Host - no SYN packet.  I can't understand how the SYN, ACK from Destination shows up without the SYN packet first! 

          PUBLIC HOST (nnn.nnn.nnn.nnn)





              | outside

              | public IP (nnn.nnn.nnn.nnn)

DMZ----ASA Firewall

               |private IP

               | inside (




               |-----------------------------INSIDE HOST(

               | inside (


               | remote(





          REMOTE HOST(

  • Firewalling
Everyone's tags (1)