12-04-2006 10:14 AM - edited 03-11-2019 02:04 AM
Hi All,
A subnet connecting a router, some workstations and the inside interface of an ASA 5510 by a Cisco 2950 switch.
The router is connected to remote sites. The default gateway of the workstations is pointing to the router. And on the router, there is on route pointing to ASA 5510.
Normally, network traffic from workstation for remote site should follow the following paths:
workstation -> router -> remote site.
However, we have those traffic blocked by the ASA 5510, making our network traffic to remote site impossible.
We have seen many
Deny TCP Connection xx in the log of ASA 5510.
I would like to know how the network traffic be routed to ASA 5510, since there are connected by switch and all the traffic are unicast.
And how ASA 5510 deny those connections?
Thanks!!
BR,
Jeff
12-04-2006 10:15 AM
Sorry, my typo,
There is no route pointing to ASA 5510
12-04-2006 10:33 AM
Where is the ASA placed in your network. Also, the deny TCP messages that you see, are they related to the traffic that is supposed to go to the remote site.Is the ASA and the router interface on the same subnet.
Possibly you can paste some deny TCP logs that you see and then we will try our best.
regards
Zubair
12-04-2006 10:36 AM
ASA's inside interface is directly connected to the network.
denied TCP traffic is from the workstation in the same network with inside interface of ASA.
Yes the ASA's inside interface and the router interface are on the same subnet.
Thanks!!
BR,
Jeff
12-04-2006 01:43 PM
Hi,
By default PIX/ASA's do proxyarps on its interfaces. Try disabling proxyarp's on your inside interface:
sysopt noproxyarp inside
Refer to this document for further information:
Good luck.
Glen
12-04-2006 01:50 PM
Hi Jeff,
Is the ASA connecting your network to the Internet?
If yes, we can suppose there is a route somewhere pointing to the ASA. If it's not within the workstations, it's probably within the router. If it's the case, and for any unknown reason, the router doesn't know the packet destination, it will forward it to its own default gateway (the ASA). If the router's default gateway is the ASA, then he will transfer the packet to it and it will advertise to the sending workstation the new route by sending a unicast ICMP redirect.
You understand that more information about how to reach the ASA is essential to a good understanding of your net behavior.
Regards,
Ben
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: