I have seen this a lot with routers and PIXs. Traffic with a source port of port 80 and destination of a dynamic port is denied on the outside interface.
The traffic is from legitimate web servers that users are browsing through the NATed inspected interface. The websites appear to be working fine though. It does produce a lot of denies in my MARS logging though.
It this normal or do I have a config problem? Is there something up with the web server not returning traffic correctly?
I'm seeing something similar on ASAs with 7.2(4): very, very busy logging because of connections that are "denied" usually related to the regular traffic.
The best explanation I have so far (I'm still researching) is that the client connections (or server, for that matter) are being closed with TCP Resets from one side and any traffic from the other side gets immediately denied as the PIX/ASA clears the state table for that connection.
I would start by taking a look at a couple of things:
1. Do you see the connection being built as the initial SYN comes through? If so, what interfaces is the connection built between?
2. What do the syslogs show as a deny reason? If you see the packet being denied due to "no connection", do the interfaces involved match the ones that you saw when the connection was built?
Often times, this behavior will be caused by asymmetric routing/alternate paths to the Internet in your network. As an example, the initial SYN of the TCP connection may find its way out to the Internet through a path other than the firewall. The web server will still receive this SYN and respond with a SYN-ACK as expected. However, when this SYN-ACK hits the outside interface of the ASA, the ASA will drop the traffic because it never saw the initial SYN and it believes that the SYN-ACK is unsolicited.
Take a look at the syslogs that show if the initial connection is being built and also the logs that show the reason why the return traffic is being denied. Also, packet captures will be useful in figuring out exactly how the packets are flowing through your network.
It looks like the logs show your connection being torn down due to normal TCP FINs. I would recommend getting packet captures on both sides of the firewall to see exactly what the connection looks like.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :