Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Routing

My company recently purchased 35 ASA 5500 series device to replace Sonicwall FireWalls. To make the Cisco deployment a painless one, I have decided to install a 5520 in parallel with the sonicwall at the corporate office. The cisco will be given the address of everyones default gateway. For those offices the currently have tunnels from their sonicwall to the sonicwall at corporate, there will be a static route in the asa that will redirect the requests for those networks through the sonicwall. As the asa devices come online and establish a tunnel with the asa at corporate, we will remove the static route that redirects those requests to the sonicwall one by one.

This senario works great when i am pinging a remote computer. but when i try to browse to a remote computer i get the following error:

%PIX|ASA-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.

The security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.

Am i going about this the wrong way or is there a fix?

2 REPLIES
New Member

Re: ASA Routing

Actually u have permit only icmp packet. For browsing it, u have to open http port. So, first open port 80 or http and then try to access it.

It will work properly.

New Member

Re: ASA Routing

Sounds to me like you have created an asynchronous routing situation with your sonicwall being temporarily in parralel with your ASA. The ASA is telling you it does not see a conversation being established between hosts A and B, therefore it is not going to let B send packets into the network. The ASA needs to see the tcp handshake occur, so you need to be routing through your ASA. Hopefully that makes sense. Do no start the conversation by routing out through your Sonicwall and letting the replies come back through the ASA tunnel.

What kinks that throws into your migration plan I don't know, but that's the issue at hand.

edit: for purposes of testing, you may want to use a couple of host routes so that just one device on each side is using the ASA only for communication. This will validate the tunnel is operating correctly and will avoid the asynchronous routing you are running up against currently.

Good luck.

276
Views
0
Helpful
2
Replies