Deny TCP (no connection) syn ack when source host is remote
Cisco ASA 5510 ASA 8.0(4) ASDM 6.1(5), with inside, outside, and DMZ interfaces. An inside host is dynamically NATted to the outside to browse. I've added an inside router with 2 ethernet interaces, to work with subnetting the inside network. A host on the remote subnet can ping a host on the outside, but trying to browse to the outside as INSIDE HOST does gets an error "Deny TCP (no connection) from outside-host/80 to inside-host/port flags SYN ACK on interface inside" In the drawing my remote host, a router away from the ASA firewall, can PING the Public HOST. Public Host sees the ASA Public IP because dynamic NAT is applied. Remote Host has default gateway 10.7.1.1. Router has IP ROUTE 0.0.0.0 0.0.0.0 10.1.1.2. ASA has IP ROUTE 10.7.0.0 10.1.1.1. INSIDE HOST browses out successfully.
I did packet traces. INSIDE HOST trace has SYN packet Inside Host to Destination; SYN ACK packet Destination to Inside Host; ACK packet Inside Host to Destination. REMOTE HOST trace shows only SYN, ACK packets from Destination to Remote Host - no SYN packet. I can't understand how the SYN, ACK from Destination shows up without the SYN packet first!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...