My company recently purchased 35 ASA 5500 series device to replace Sonicwall FireWalls. To make the Cisco deployment a painless one, I have decided to install a 5520 in parallel with the sonicwall at the corporate office. The cisco will be given the address of everyones default gateway. For those offices the currently have tunnels from their sonicwall to the sonicwall at corporate, there will be a static route in the asa that will redirect the requests for those networks through the sonicwall. As the asa devices come online and establish a tunnel with the asa at corporate, we will remove the static route that redirects those requests to the sonicwall one by one.
This senario works great when i am pinging a remote computer. but when i try to browse to a remote computer i get the following error:
%PIX|ASA-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.
The security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.
Am i going about this the wrong way or is there a fix?
Sounds to me like you have created an asynchronous routing situation with your sonicwall being temporarily in parralel with your ASA. The ASA is telling you it does not see a conversation being established between hosts A and B, therefore it is not going to let B send packets into the network. The ASA needs to see the tcp handshake occur, so you need to be routing through your ASA. Hopefully that makes sense. Do no start the conversation by routing out through your Sonicwall and letting the replies come back through the ASA tunnel.
What kinks that throws into your migration plan I don't know, but that's the issue at hand.
edit: for purposes of testing, you may want to use a couple of host routes so that just one device on each side is using the ASA only for communication. This will validate the tunnel is operating correctly and will avoid the asynchronous routing you are running up against currently.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...