f



ASA5510: deny tcp (no connection)... flags SYN ACK

Hello,

is it possible to allow traffic through an ASA5510 which was not 
initiated through this firewall but through another one?

Background: We change our external IP-Numbers but don't want to change
our internal default route (which links to an ASA5510 (the 'old'
one). Our new vpn-traffic comes from the 'new' ASA, and the internal
client-pc sends it to the 'old' ASA. There is a route which directs
this traffic to the new one. But: I get the error

(within vpn telnet internal_host 22)
'old' ASA as default gateway

%ASA-6-106015: Deny TCP (no connection) from 192.168.XXX.XXX/22 to 
192.168.10.1/34625 flags SYN ACK  on interface inside


I would appreciate any help

Gerhard
0
Gerhard
8/4/2009 7:29:47 AM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

2 Replies
9594 Views

Similar Articles

[PageSpeed] 4

Can you elaborate more on what you are trying to accomplish?

Looks to me like you have two ASAs on your WAN connection.

Like this

(Default Gateay/Route) ASA #1-------outside 1.1.1.1 ------inside
192.168.1.1
(VPN) ASA #2-------outside 1.1.1.2 ------ inside 192.168.1.2

I assume ASA #1 is the default route/default gateway for the hosts
behind it to the internet and ASA #2 has VPNs that terminate on it

If you have a VPN with remote subnet 192.168.2.0/24 built to it you
can had a static host route on the PCs to use the VPN ASA
(Assuming Windows)
-route add -p 192.168.2.0 mask 255.255.255.0 192.168.1.2

or use a router as your default gateway your routing table would look
like this

ip route 192.168.2.0 255.255.255.0 192.168.1.2
ip route 0.0.0.0 0.0.0.0 192.168.1.1

On Aug 4, 3:29=A0am, Gerhard Lehmann <g...@yahoo.com> wrote:
> Hello,
>
> is it possible to allow traffic through an ASA5510 which was not
> initiated through this firewall but through another one?
>
> Background: We change our external IP-Numbers but don't want to change
> our internal default route (which links to an ASA5510 (the 'old'
> one). Our new vpn-traffic comes from the 'new' ASA, and the internal
> client-pc sends it to the 'old' ASA. There is a route which directs
> this traffic to the new one. But: I get the error
>
> (within vpn telnet internal_host 22)
> 'old' ASA as default gateway
>
> %ASA-6-106015: Deny TCP (no connection) from 192.168.XXX.XXX/22 to
> 192.168.10.1/34625 flags SYN ACK =A0on interface inside
>
> I would appreciate any help
>
> Gerhard

0
jcle
8/4/2009 6:32:20 PM
Thank you for your answer!

A short ASCII-Structure is like this:


ext.Router---(old IP-RANGE 195.21.XXX.170)---outside---ASA_01 

---internal---192.168.1.130(/24)


new ext.Router---(new IP-RANGE 91.215.XXX.4)---outside---ASA_02
---internal---192.168.1.129(/24)


The old IP-Range will be closed in the near future.
Default internal Gateway is ASA_01, 192.168.1.130 for all our
client-PCs.

VPN works through this ASA_01.

Now I install VPN on the ASA_02 and would like to let the old
gateway on the client-pcs unchanged. So I thought:

VPN-Traffic from outside -> ASA_02 -> client-PC   and back:
-> ASA_01 (default gateway)  ASA_01 -> ASA_02
(static Route for the VPN-address-space)
-> new ext.Router-> Internet-> VPN-endpoint


When I ping or telnet through the new VPN, I can see the
incoming traffic on the client-pc, but the return path
is blocked by the ASA_01 with the error:

%ASA-6-106015: Deny TCP (no connection) from 192.168.1.162/22 to 
192.168.10.1/34625 flags (VPN-address)
  SYN ACK  on interface inside
%ASA-7-609002: Teardown local-host inside:192.168.1.162 duration 0:00:00
%ASA-7-609002: Teardown local-host inside:192.168.10.1 duration 0:00:00

I understand that the ASA blocks traffic which is not initiated through 
it, it seems to be a good behaviour for a firewall, but can I make an
exception for this route (ASA_01 -> ASA_02 192.168.10.0/24)?


thanks again for any idea you have!

Gerhard

jcle wrote:
> Can you elaborate more on what you are trying to accomplish?
> 
> Looks to me like you have two ASAs on your WAN connection.
> 
> Like this
> 
> (Default Gateay/Route) ASA #1-------outside 1.1.1.1 ------inside
> 192.168.1.1
> (VPN) ASA #2-------outside 1.1.1.2 ------ inside 192.168.1.2
> 
> I assume ASA #1 is the default route/default gateway for the hosts
> behind it to the internet and ASA #2 has VPNs that terminate on it
> 
> If you have a VPN with remote subnet 192.168.2.0/24 built to it you
> can had a static host route on the PCs to use the VPN ASA
> (Assuming Windows)
> -route add -p 192.168.2.0 mask 255.255.255.0 192.168.1.2

we would like to avoid to set a static route in every client-pc,
it seems to be smarter to let the old ASA make the routing.


> 
> or use a router as your default gateway your routing table would look
> like this
> 
> ip route 192.168.2.0 255.255.255.0 192.168.1.2
> ip route 0.0.0.0 0.0.0.0 192.168.1.1
> 
> On Aug 4, 3:29 am, Gerhard Lehmann <g...@yahoo.com> wrote:
>> Hello,
>>
>> is it possible to allow traffic through an ASA5510 which was not
>> initiated through this firewall but through another one?
>>
>> Background: We change our external IP-Numbers but don't want to change
>> our internal default route (which links to an ASA5510 (the 'old'
>> one). Our new vpn-traffic comes from the 'new' ASA, and the internal
>> client-pc sends it to the 'old' ASA. There is a route which directs
>> this traffic to the new one. But: I get the error
>>
>> (within vpn telnet internal_host 22)
>> 'old' ASA as default gateway
>>
>> %ASA-6-106015: Deny TCP (no connection) from 192.168.XXX.XXX/22 to
>> 192.168.10.1/34625 flags SYN ACK  on interface inside
>>
>> I would appreciate any help
>>
>> Gerhard
> 
-1
Gerhard
8/5/2009 8:44:49 AM
Reply:

Web resources about - ASA5510: deny tcp (no connection)... flags SYN ACK - comp.dcom.sys.cisco

Connection - Wikipedia, the free encyclopedia
Text is available under the Creative Commons Attribution-ShareAlike License ;additional terms may apply. By using this site, you agree to the ...

iMedia Connection: Interactive Marketing News, Features, Podcasts and Video - iMediaConnection.com
If you send more email, you might make more money. Then again, you might destroy your reputation and revenue stream. Here's how to know what ...

HTTP persistent connection - Wikipedia, the free encyclopedia
... tacked on to an existing protocol. If the browser supports keep-alive, it adds an additional header to the request: Following this, the connection ...

MOTHER’S DAY: Facebook Examines Connections Between Moms, Kids
With Mother’s Day on the calendar this coming Sunday, Facebook examined the relationships between mothers and their children on the social network, ...

Police release image in connection with suspicious death
POLICE are wanting to speak with two men to help with investigations into the possibly suspicious death of a man on the Sunshine Coast on Sunday. ...

Faith: Spirits lift in connection with home
We need to more adequately understand the spirituality of our unique place on earth.

FBI mulls connection between Super Bowl, CA fiber optic cable cuttings
... authorities, who have been baffled by more than a dozen attacks on San Francisco Bay Area data lines, are probing whether there is any connection ...

Star Wars Rebels Trailer Reveals Force Awakens Connection - Collider
The new extended trailer for the mid-season premiere of the Disney XD animated series Star Wars Rebels reveals a huge connection to The Force ...

Arrow EP Confirms Connection Between Felicity Smoak and The Calculator
Ever since Calculator was announced as coming on Arrow season four, right around the same time [...]

JCPenney Testing Appliance Sales By Creating An “Emotional Connection” With Women
... that over 70% of our shoppers are women, we’re going to improve the way customers shop for appliances by building an emotional connection with ...

Resources last updated: 1/28/2016 5:29:52 PM