Hi guys trying to figure this out but it seems that im hitting a wall.
Inbound TCP connection denied from 126.96.36.199/80 to 192.168.2.1/4659 flags SYN ACK on interface Inside
two internal network 192.168.1.0 and 192.168.2.1
The 192.168.1. network works fine and able to connect to internet with no issue. I have a NAT entry of NAT (inside) 1 0.0.0.0 0.0.0.0 thats translated to the outside interface.
I also have a static route to our cisco catalyst 4000 switch with layer 3 routing. Routing works inside the network.
I also tested this config in our ASA 5505 applinace and it works with no problem. So basically any request from the 2 network is being dropped by the firewall.
Not sure if im missing something, its a very simple config and should've have problem. any inputs is highly appreciated.
Could you post the topology.
I think that this issue is due to a problem with the 3 way handshake. But I need to understand a little better the current topology.
Its very basic actually.
I have a dmz on the firewall for vpn concentrator.
You said 2 internal networks?
192.168.1.0 and 192.168.2.1
Is one in your inside and the another one behind the router/switch ????
Maybe anti-spoofing? If the firewall is directly connected to the 192.168.1.0/24 subnet, do you have a route pointing the 192.168.2.0/24 network to the internal router via the inside interface?
the problem is that 192.168.2.0 network is not able to connect to the internet.
I do have the static route in the inside interface pointing to the internal router for routing. no anti-spoofing just the firewall. i do have a anti-spyware box in between but all it does is pass traffic.
Can you sanitize and then post the config? IMHO, it still looks like something is bouncing the response packet going back to the 2.1 address via the firewall from the internal network. Can you run a capture as well and then post the *.pcap?
I know you've said that routing is functioning on the internal network, but I still think there's something that's pushing traffic destined for the 2.x network to the firewall.
You said that you have some kind of anti-spyware device sitting between the firewall and the internal network - is that an L2 or L3 device? If L3, does it have routes to the 2.x network pointing in the right direction?
From my (admittedly limited) analysis of the capture, the conversations are running something like this:
1) The client initiates an outbound tcp/80 request through the firewall to the web server (SYN)
2) The server responds and sends back a SYN/ACK to the client, which the firewall is passing on to the internal network
3) The firewall then receives that same SYN/ACK response packet against it's internal interface.
I'm thinking that something along the return path does not have a route to the 2.x network and is possibly following your site's default route to the firewall. So when the firewall hands the packet to the internal network destined for the 2.x based client, something in the path is bouncing it right back to the firewall.
I could be wrong, but could you check the routes on all the devices along the path?
that what i thought so too. Although i have a small network with the same setup and it seems to work using the static route in the inside interface. I will do more testing.
The anti-spyware is basically a PC with two NIC for to pass traffic. It shouldnt be filtering any IP but I would double check it just to make sure.
I tested my vpn from the outside to test the static route to teh 192.168.2.0 network and its working fine. I can ping servers in both network. I. still puzzled as to why it doesnt work as the nat (inside) 1 0.0.0.0 0.0.0.0 should take care of everything. Still doing research.