Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Inside Network access DMZ Host

Hi;

I Have a ASA 5510 on my network, which 3 networks (inside, outside, dmz).

When a dmz host access a inside Host, works ok, but when a inside host try access the dmz host, the following message is displayed on LOG:

Deny TCP (no connection) from hid-dmz/25 to hid-iwss/44674 flags SYN ACK on interface dmz

The static nat:

static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (inside,dmz) 10.40.4.0 10.40.4.0 netmask 255.255.255.0

where:

172.16.1.0/24: DMZ Network

10.40.4.0/24: Inside Network

6 REPLIES
Green

Re: Inside Network access DMZ Host

You shouldn't need this...

no static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

New Member

Re: Inside Network access DMZ Host

even removing this, the problem continues...

all acl's is set to permit traffic...

New Member

Re: Inside Network access DMZ Host

Hi Dear,

I doubt much that the problem is tha nat translation, error message says no connection this means the TCP SYNC and SYNC/ACK reply are going different pathes so firewall will drop that reply. but to make sure the problem is not in the nat translation use this command:

no nat-control

and remove both the static nat commands

If you can post the configuration of your firewall it will be very helpful.

let me know the results.

B.regards.

New Member

Re: Inside Network access DMZ Host

if i'm remove static nat, the log display "no translation"... With "no nat-control", the problem continues...

Follow the config in attachment...

New Member

Re: Inside Network access DMZ Host

what is the gateway of your users in the inside network? is it: 10.40.4.1

New Member

Re: Inside Network access DMZ Host

yes, is 10.40.4.1....

203
Views
0
Helpful
6
Replies