Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TCP denied

Hi,

I need to computers (on different VLANS) but pointing to the FW to connect via specific tcp ports.

I'm getting this syslog message.

106015 Deny TCP (no connection) from 192.168.167.64/1433 to 192.168.167.80/1796 flag SYN ACK on internal interface.

Should i add an acl into internal-interface and how?

Thanks.

9 REPLIES

Re: TCP denied

Errrm from your post - the traffic is from a device to another device on the same network?

New Member

Re: TCP denied

on another network.

the devices are on different switchs and different vlans, but all traficc is routed to internal-interface of FW.

Re: TCP denied

OK - just one question what is device "192.168.165.61"

taken from your firewall config:-

"route internal-interface 192.168.167.0 255.255.255.0 192.168.165.61"

New Member

Re: TCP denied

ok,

becouse 192.168.165.0 is the internal network, and there is another network on other switch, which i connected with a crossover cable, and so i configured on that third switch an interface from vlan 1 with this 192.1658.165.61 ip, so that the internal network knows how to reach the 192.168.167.0 network.

Re: TCP denied

OK - here's the thing, what you have done makes no sense, you have multiple layer 3 interfaces on multiple switches, the routing will not be correct or best practise.

What device is handling the vlan to vlan IP routing?

New Member

Re: TCP denied

I attach the switches config.

ip routing is enabled in all switches, and ping is ok from hosts on vlan30 to hosts on vlan1 but there are issues like the tcp ports that i dont understand.

that's why i said that if the FW is denying the tcp connection i guess i should allow it somehow.

i just need a host on the 192.168.165.0 to connect via specific tcp ports to another host on the 192.168.167.0 network.

Re: TCP denied

From your configs - All swithches are effectivly routers, ans switches. I can see no order, i.e core, distribution, access switch.

I find it quite surprising that the firewall is seeing a tcp request from 2 machines on vlan30 - as they are in the same broadcast domain and do not need to go thru a layer 3 device.

The fact you have 3 layer 3 interfaces and the firewall interface are routable, means there should be no connectivity issues.

I personally think you should re-think your design.

New Member

Re: TCP denied

The machines are on different vlans, 1 and 30.

one has 192.168.167.80

the other 192.168.165.64

Re: TCP denied

Ahh yes - OK here is the quick and dirty fix:-

In the ASA remove the route:-

route internal-interface 192.168.167.0 255.255.255.0 192.168.165.61

replace with:-

route internal-interface 192.168.167.0 255.255.255.0 192.168.165.10

In NS1 add:-

ip route 192.168.167.0 255.255.255.0 192.168.165.61

In NS2 add:-

ip route 192.168.167.0 255.255.255.0 192.168.165.61

But I strongly suggest you change your topology as right now - you have 3 routers, with no logical routing process between them and poor design.

323
Views
5
Helpful
9
Replies