cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
873
Views
0
Helpful
5
Replies

TCP traffic from client with different gateway denied by ASA 5510

support_cisco
Level 1
Level 1

Hi All,

A subnet connecting a router, some workstations and the inside interface of an ASA 5510 by a Cisco 2950 switch.

The router is connected to remote sites. The default gateway of the workstations is pointing to the router. And on the router, there is on route pointing to ASA 5510.

Normally, network traffic from workstation for remote site should follow the following paths:

workstation -> router -> remote site.

However, we have those traffic blocked by the ASA 5510, making our network traffic to remote site impossible.

We have seen many

Deny TCP Connection xx in the log of ASA 5510.

I would like to know how the network traffic be routed to ASA 5510, since there are connected by switch and all the traffic are unicast.

And how ASA 5510 deny those connections?

Thanks!!

BR,

Jeff

5 Replies 5

support_cisco
Level 1
Level 1

Sorry, my typo,

There is no route pointing to ASA 5510

zubairjalal
Level 1
Level 1

Where is the ASA placed in your network. Also, the deny TCP messages that you see, are they related to the traffic that is supposed to go to the remote site.Is the ASA and the router interface on the same subnet.

Possibly you can paste some deny TCP logs that you see and then we will try our best.

regards

Zubair

ASA's inside interface is directly connected to the network.

denied TCP traffic is from the workstation in the same network with inside interface of ASA.

Yes the ASA's inside interface and the router interface are on the same subnet.

Thanks!!

BR,

Jeff

Hi,

By default PIX/ASA's do proxyarps on its interfaces. Try disabling proxyarp's on your inside interface:

sysopt noproxyarp inside

Refer to this document for further information:

http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008073ad68.html#wp1542397

Good luck.

Glen

bdube
Level 2
Level 2

Hi Jeff,

Is the ASA connecting your network to the Internet?

If yes, we can suppose there is a route somewhere pointing to the ASA. If it's not within the workstations, it's probably within the router. If it's the case, and for any unknown reason, the router doesn't know the packet destination, it will forward it to its own default gateway (the ASA). If the router's default gateway is the ASA, then he will transfer the packet to it and it will advertise to the sending workstation the new route by sending a unicast ICMP redirect.

You understand that more information about how to reach the ASA is essential to a good understanding of your net behavior.

Regards,

Ben

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: