Question

TCP & ICMP NO CONNECTION THROUGH THE ASA 8.0(4)16 FIREWALL

Asked by: Andres2007

Hi,
first sorry by my poor english.
I've got a connectivity problem in my intranet area

FROM 10.1.27.10 host:
I cannot ping to one interface of ASA 10.1.127.4, but I can do telnet to it.
I cannot ping to 10.1.127.20, 10.1.127.21
I cannot telnet to 10.1.127.20, 10.1.127.21
I do ping and telnet to 10.1.127.51, 52, 53, 54 as weel

Please, what should i do to make allways ping and telnet to all interfaces outside the ASA.
I need telnet and ping to 10.1.127.48 / 28 (i do it as weel from 10.1.27.4)
I need telnet and ping to 10.1.127.4 (i do only telnet from 10.1.27.4)
I need telnet and ping to 10.1.127.16 / 28 (I can't reach nothing in this network from 10.1.27.4)

So I need to ping and telnet anywhere outside the ASA. ANY TRAFFIC THAT ENTER THE ASA FOR ANY INTERFACE CAN RETURN TO THE ORIGIN HOST FOR OTHER DIFFERENT INTERFACE THAN FIRST.



this is the config:
 
Result of the command: "sh run"
 
: Saved
:
ASA Version 8.0(4)16 
!
hostname ESCFWLA
 
 
names
!
interface GigabitEthernet0/0
 description Conexion a Internet
 shutdown
 nameif Conex_Internet_V279
 security-level 0
 ip address 10.1.127.97 255.255.255.240 standby 10.1.127.98 
!
interface GigabitEthernet0/1
 nameif Interconex_Firewall_Nokia_V1270
 security-level 100
 ip address 10.1.127.4 255.255.255.240 standby 10.1.127.5 
!
interface GigabitEthernet0/2
 description Trunk vlan 1271/1272/1273  (Vpn_ clara y cifrada, gestion_gateways)
 nameif Trk_v1271_v1272_v1273
 security-level 50
 no ip address
!
interface GigabitEthernet0/2.1
 description Conexin con la vlan clara. ESCGWCONMA 1/0/4
 vlan 1271
 nameif vlan_clara
 security-level 50
 ip address 10.1.127.17 255.255.255.240 standby 10.1.127.18 
!
interface GigabitEthernet0/2.2
 description Conexin con la vlan cifrada. ESCGWCONMA 1/0/10
 vlan 1272
 nameif vlan_cifrada
 security-level 50
 ip address 10.1.127.33 255.255.255.240 standby 10.1.127.34 
!
interface GigabitEthernet0/2.3
 description VLAN de Gestion para C3845
 vlan 1273
 nameif gestion_gateways
 security-level 50
 ip address 10.1.127.49 255.255.255.240 standby 10.1.127.50 
!
interface GigabitEthernet0/3
 description LAN Failover Interface
!
interface Management0/0
 description Solo para gestion
 nameif management
 security-level 100
 ip address 10.1.127.68 255.255.255.240 standby 10.1.127.69 
!
boot system disk0:/asa804-16-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
 
object-group network Cluster_Network_NO_Management
 description Todas las redes del Cluster ASA excepto la Gestion
 network-object 10.1.127.0 255.255.255.240
 network-object 10.1.127.16 255.255.255.240
 network-object 10.1.127.32 255.255.255.240
 network-object 10.1.127.48 255.255.255.240
 network-object 10.1.127.96 255.255.255.240
 
access-list Interconex_Firewall_Nokia_V1270_access_in extended permit ip any any 
access-list vlan_clara_access_in extended permit ip any any 
access-list vlan_cifrada_access_in extended permit ip any any 
access-list Trk_v1271_v1272_v1273_access_in extended permit ip any any 
access-list gestion_gateways_access_in extended permit ip any any 
access-list management_access_out extended permit ip any any 
access-list Interconex_Firewall_Nokia_V1270_access_out extended permit ip any any 
access-list management_access_in extended permit ip any any 
access-list management_access_in_1 extended permit ip any any 
access-list Interconex_Firewall_Nokia_V1270_access_in_1 extended permit ip any any 
access-list management_access_in_2 extended permit ip any any 
access-list Interconex_Firewall_Nokia_V1270_access_in_2 extended permit ip any any 
access-list management_access_in_3 extended permit ip any any 
access-list gestion_gateways_access_out extended permit ip any any 
pager lines 24
logging enable
logging timestamp
logging standby
logging console informational
logging monitor informational
logging buffered emergencies
logging trap informational
logging history informational
logging asdm informational
logging mail informational
mtu Conex_Internet_V279 1500
mtu Interconex_Firewall_Nokia_V1270 1500
mtu Trk_v1271_v1272_v1273 1500
mtu vlan_clara 1500
mtu vlan_cifrada 1500
mtu gestion_gateways 1500
mtu management 1500
 
ip verify reverse-path interface Conex_Internet_V279
ip verify reverse-path interface vlan_clara
ip verify reverse-path interface vlan_cifrada
 
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 10.1.127.81 255.255.255.248 standby 10.1.127.82
no monitor-interface Conex_Internet_V279
monitor-interface vlan_clara
monitor-interface vlan_cifrada
monitor-interface gestion_gateways
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (gestion_gateways) 1 interface
access-group Interconex_Firewall_Nokia_V1270_access_in_2 in interface Interconex_Firewall_Nokia_V1270
access-group Interconex_Firewall_Nokia_V1270_access_out out interface Interconex_Firewall_Nokia_V1270
access-group Trk_v1271_v1272_v1273_access_in in interface Trk_v1271_v1272_v1273
access-group vlan_clara_access_in in interface vlan_clara
access-group vlan_cifrada_access_in in interface vlan_cifrada
access-group gestion_gateways_access_in in interface gestion_gateways
access-group gestion_gateways_access_out out interface gestion_gateways
access-group management_access_in_3 in interface management
access-group management_access_out out interface management
route Interconex_Firewall_Nokia_V1270 10.0.0.0 255.0.0.0 10.1.127.1 1
route management 10.1.27.10 255.255.255.255 10.1.127.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACS protocol tacacs+
 accounting-mode simultaneous
 max-failed-attempts 5
aaa-server ACS (Interconex_Firewall_Nokia_V1270) host 10.1.27.11
 key qwerty
aaa authentication enable console ACS LOCAL
aaa authentication http console ACS LOCAL
aaa authentication ssh console ACS LOCAL
aaa authentication telnet console ACS LOCAL
 
http server enable
http 10.1.27.9 255.255.255.255 management
http 10.1.27.10 255.255.255.255 management
http 10.1.27.0 255.255.255.192 management
snmp-server host Interconex_Firewall_Nokia_V1270 10.1.30.3 community pagina version 2c
snmp-server host Interconex_Firewall_Nokia_V1270 10.1.30.45 community pagina version 2c
snmp-server location SSCC
snmp-server contact CGR
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
auth-prompt prompt CISCO ASA 5540 
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 Interconex_Firewall_Nokia_V1270
telnet 10.1.27.9 255.255.255.255 management
telnet 10.1.27.10 255.255.255.255 management
telnet 10.1.27.0 255.255.255.192 management
telnet timeout 5
ssh 10.1.27.10 255.255.255.255 management
ssh 10.1.27.9 255.255.255.255 management
ssh 10.1.27.0 255.255.255.192 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
 
!
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:7791611eaf7fbe1943c881a5f6166439
: end
 
 
When I do ping from 10.1.27.10 to 10.1.127.20:
6|Jan 28 2009|12:41:40|302021|10.1.127.20|0|10.1.27.10|512|Teardown ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:40|302021|10.1.127.20|0|10.1.27.10|512|Teardown ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:36|302020|10.1.127.20|0|10.1.27.10|512|Built inbound ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:36|302020|10.1.27.10|512|10.1.127.20|0|Built outbound ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:35|302021|10.1.127.20|0|10.1.27.10|512|Teardown ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:35|302021|10.1.127.20|0|10.1.27.10|512|Teardown ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:34|110002|10.1.27.6|1027|||Failed to locate egress interface for UDP from Interconex_Firewall_Nokia_V1270:10.1.27.6/1027 to 128.8.10.90/53
6|Jan 28 2009|12:41:31|302010|||||17 in use, 122 most used
6|Jan 28 2009|12:41:31|302020|10.1.127.20|0|10.1.27.10|512|Built inbound ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:31|302020|10.1.27.10|512|10.1.127.20|0|Built outbound ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:30|302021|10.1.127.20|0|10.1.27.10|512|Teardown ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:30|302021|10.1.127.20|0|10.1.27.10|512|Teardown ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:26|302020|10.1.127.20|0|10.1.27.10|512|Built inbound ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:26|302020|10.1.27.10|512|10.1.127.20|0|Built outbound ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:23|110002|10.1.27.7|3659|||Failed to locate egress interface for UDP from Interconex_Firewall_Nokia_V1270:10.1.27.7/3659 to 172.27.48.51/53
6|Jan 28 2009|12:41:12|110002|10.1.27.6|1027|||Failed to locate egress interface for UDP from Interconex_Firewall_Nokia_V1270:10.1.27.6/1027 to 202.12.27.33/53
6|Jan 28 2009|12:41:11|302015|10.1.127.54|161|10.1.30.3|62674|Built outbound UDP connection 20675 for gestion_gateways:10.1.127.54/161 (10.1.127.54/161) to Interconex_Firewall_Nokia_V1270:10.1.30.3/62674 (10.1.30.3/62674)
 
When I do telnet from 10.1.27.10 to 10.1.127.20:
6|Jan 28 2009|12:42:09|106015|10.1.127.20|23|10.1.27.10|1675|Deny TCP (no connection) from 10.1.127.20/23 to 10.1.27.10/1675 flags ACK  on interface gestion_gateways
6|Jan 28 2009|12:42:08|110002|10.1.27.6|1027|||Failed to locate egress interface for UDP from Interconex_Firewall_Nokia_V1270:10.1.27.6/1027 to 192.5.5.241/53
6|Jan 28 2009|12:42:06|106015|10.1.127.20|23|10.1.27.10|1675|Deny TCP (no connection) from 10.1.127.20/23 to 10.1.27.10/1675 flags SYN ACK  on interface gestion_gateways
6|Jan 28 2009|12:42:03|106015|10.1.127.20|23|10.1.27.10|1675|Deny TCP (no connection) from 10.1.127.20/23 to 10.1.27.10/1675 flags ACK  on interface gestion_gateways
6|Jan 28 2009|12:42:02|106015|10.1.127.20|23|10.1.27.10|1675|Deny TCP (no connection) from 10.1.127.20/23 to 10.1.27.10/1675 flags SYN ACK  on interface gestion_gateways
6|Jan 28 2009|12:42:00|106015|10.1.127.20|23|10.1.27.10|1675|Deny TCP (no connection) from 10.1.127.20/23 to 10.1.27.10/1675 flags SYN ACK  on interface gestion_gateways
6|Jan 28 2009|12:42:00|302013|10.1.127.20|23|10.1.27.10|1675|Built outbound TCP connection 20684 for vlan_clara:10.1.127.20/23 (10.1.127.20/23) to Interconex_Firewall_Nokia_V1270:10.1.27.10/1675 (10.1.27.10/1675)
6|Jan 28 2009|12:41:57|110002|10.1.27.7|3659|||Failed to locate egress interface for UDP from Interconex_Firewall_Nokia_V1270:10.1.27.7/3659 to 172.27.48.51/53
 
Please, can anybody help me??

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-01-28 at 04:08:21ID24090369
Topic

Cisco PIX Firewall

Participating Experts
1
Points
125
Comments
4

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Telnet through ASA Firewall
    Hello again! Currently, I have two Cisco ASA firewalls at the branch office and Headquarters. Currently, they are using an application in the branch office that uses telnet (#23) to connect to a Unix box at headquarters using the public IP at the moment (i have another post...
  2. how to allow icmp in cisco asa 5540 to all the interfaces…
    I want to allow icmp between all the interfaces and to all the server connected to cisco asa firewall in different segment.
  3. ASA with ISA
    iam trying to connect ASA as a firewall and also connect an ISA proxy behind , and i had a web server inside the private lan (172.16.1.5)of the ISA and iam trying to publish the webserver from the ISA and then static nat between the external NIC ip of the ISA ( 10.0.0.2) to a...
  4. ASA ICMP traversing interfaces on 8.04
    Config: ASA 5510 8.0.4 using: 1 physical outside interface 1 physical interface with 9 DMZ/Inside interfaces. Useing no nat control, no statics Issue: I can ping the outside interface of the ASA. From outside host, I want to ping VDMZ ASA interface. I can ping outside inter...
  5. Cisco ASA deny ICMP traffic
    I am having an issue with using a static route on an ASA5510 to successfully access a second subnet. We recently added a second subnet (192.168.56.0/24 ) to our network (192.168.100.0/24). A simple RRAS box is connecting the two subnets. The production network uses an ASA as ...
  6. Cisco ASA unable to telnet when on VPN
    HI I have the below working config on my cisco asa. however when I try to use telnet to acces the device when on the VPN it does not connect. VPN is fine and so is all network functions from the VPN Is there a line I am missing to allow myself to connet to the ASA via telnet ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: asavenerPosted on 2009-01-28 at 05:54:22ID: 23486390

Check your routes on the hosts, and your VLAN configuration.

These lines:  

Jan 28 2009|12:42:09|106015|10.1.127.20|23|10.1.27.10|1675|Deny TCP (no connection) from 10.1.127.20/23 to 10.1.27.10/1675 flags ACK  on interface gestion_gateways
Jan 28 2009|12:42:06|106015|10.1.127.20|23|10.1.27.10|1675|Deny TCP (no connection) from 10.1.127.20/23 to 10.1.27.10/1675 flags SYN ACK  on interface gestion_gateways


Show that the ASA is only seeing one side of the session.  It did not see the SYN packet from 10.1.27.10, but the SYN ACK and ACK back from 10.1.27.20 are going through the ASA.  Since the ASA did not see the initial SYN, it is blocking the other traffic because it is not stateful.

 

by: Andres2007Posted on 2009-01-28 at 06:56:16ID: 23487065

Hi,
the routes I know are well. that's the way:
in the routers there are two static routes:
10.1.27.10 / 24  DG: 10.1.127.49

in the ASA there is a static route:
10.1.27.10 / 24 DG: 10.1.127.65

So when I do ping to 10.1.127.20 (one router interface) my traffic from 10.1.27.10 goes to the ASA interface IP 10.1.127.4 and go out through the 10.1.127.17  ASA interface IP. The return traffic enters the ASA trhough 10.1.127.49 (it's for the static route in the routers) and go out the ASA trhough the interface 10.1.127.68.

The question is if there is possible to force the ASA in order to:
Traffic enter through interface 1
Traffic leaves the ASA through interface 2
Trafiic return to the ASA through interface 3
Traffic leaves finally the ASA through interface 4.

Its posible this??


 
 

 

by: asavenerPosted on 2009-01-28 at 09:30:04ID: 23488882

"The question is if there is possible to force the ASA in order to:
Traffic enter through interface 1
Traffic leaves the ASA through interface 2
Trafiic return to the ASA through interface 3
Traffic leaves finally the ASA through interface 4."

No.

 

by: Andres2007Posted on 2009-01-29 at 09:05:55ID: 23499706

thanks for your answer. I reallly can´t move traffic in the ASA but i have read in the releases notes about  ASA Version 8.0(4)  that there is several TCP Normalization Enhancements:

***
You can now configure TCP normalization actions for certain packet types. Previously, the default
actions for these kinds of packets was to drop the packet. Now you can set the TCP normalizer to
allow the packets.
" TCP invalid ACK check (the invalid-ack command)
" TCP packet sequence past window check (the seq-past-window command)
" TCP SYN-ACK with data check (the synack-data command)
***

So when I get try telnet from 10.1.30.203 to 10.1.127.51 (that's directly connected to AS)  i get these logs:

6|Jan 29 2009|17:18:32|106015|10.1.127.51|23|10.1.30.203|1069|Deny TCP (no connection) from 10.1.127.51/23 to 10.1.30.203/1069 flags SYN ACK  on interface vlan_clara
6|Jan 29 2009|17:18:29|110002|10.1.27.7|2890|||Failed to locate egress interface for UDP from Interconex_Firewall_Nokia_V1270:10.1.27.7/2890 to 172.27.48.51/53
6|Jan 29 2009|17:18:27|106015|10.1.127.51|23|10.1.30.203|1069|Deny TCP (no connection) from 10.1.127.51/23 to 10.1.30.203/1069 flags ACK  on interface vlan_clara
6|Jan 29 2009|17:18:24|106015|10.1.127.51|23|10.1.30.203|1069|Deny TCP (no connection) from 10.1.127.51/23 to 10.1.30.203/1069 flags SYN ACK  on interface vlan_clara
6|Jan 29 2009|17:18:21|302021|10.1.127.20|0|10.1.127.2|0|Teardown ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.127.2/0 laddr 10.1.127.2/0
6|Jan 29 2009|17:18:21|302020|10.1.127.2|0|10.1.127.20|0|Built outbound ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.127.2/0 laddr 10.1.127.2/0
6|Jan 29 2009|17:18:21|106015|10.1.127.51|23|10.1.30.203|1069|Deny TCP (no connection) from 10.1.127.51/23 to 10.1.30.203/1069 flags ACK  on interface vlan_clara
6|Jan 29 2009|17:18:20|106015|10.1.127.51|23|10.1.30.203|1069|Deny TCP (no connection) from 10.1.127.51/23 to 10.1.30.203/1069 flags SYN ACK  on interface vlan_clara
6|Jan 29 2009|17:18:18|106015|10.1.127.51|23|10.1.30.203|1069|Deny TCP (no connection) from 10.1.127.51/23 to 10.1.30.203/1069 flags SYN ACK  on interface vlan_clara
6|Jan 29 2009|17:18:18|302013|10.1.127.51|23|10.1.30.203|1069|Built outbound TCP connection 38699 for gestion_gateways:10.1.127.51/23 (10.1.127.51/23) to Interconex_Firewall_Nokia_V1270:10.1.30.203/1069 (10.1.30.203/1069)
6|Jan 29 2009|17:18:18|110002|10.1.27.5|1029|||Failed to locate egress interface for UDP from Interconex_Firewall_Nokia_V1270:10.1.27.5/1029 to 193.0.14.129/53

BUT I HAVE DISABLE ANTISPOOFING FOR ALL INTERFACES. Why the traffic that leaves the ASA for one interface can not returns by other ??

From 10.1.30.203.
Enter ASA for interface A
Leaves ASA for interface B
Return ASA for interface C
Leaves finally ASA for interface A

ASA Version 8.0(4)16 
!
hostname ESCFWLA
 
names
!
interface GigabitEthernet0/0
 description Conexion a Internet
 shutdown
 nameif Conex_Internet_V279
 security-level 0
 ip address 10.1.127.97 255.255.255.240 standby 10.1.127.98 
!
interface GigabitEthernet0/1
 nameif Interconex_Firewall_Nokia_V1270
 security-level 100
 ip address 10.1.127.4 255.255.255.240 standby 10.1.127.5 
!
interface GigabitEthernet0/2
 description Trunk vlan 1271/1272/1273  (Vpn_ clara y cifrada, gestion_gateways)
 nameif Trk_v1271_v1272_v1273
 security-level 50
 no ip address
!
interface GigabitEthernet0/2.1
 description Conexin con la vlan clara. ESCGWCONMA 1/0/4
 vlan 1271
 nameif vlan_clara
 security-level 50
 ip address 10.1.127.17 255.255.255.240 standby 10.1.127.18 
!
interface GigabitEthernet0/2.2
 description Conexin con la vlan cifrada. ESCGWCONMA 1/0/10
 vlan 1272
 nameif vlan_cifrada
 security-level 50
 ip address 10.1.127.33 255.255.255.240 standby 10.1.127.34 
!
interface GigabitEthernet0/2.3
 description VLAN de Gestion para C3845
 vlan 1273
 nameif gestion_gateways
 security-level 50
 ip address 10.1.127.49 255.255.255.240 standby 10.1.127.50 
!
interface GigabitEthernet0/3
 description LAN Failover Interface
!
interface Management0/0
 description Solo para gestion
 nameif management
 security-level 100
 ip address 10.1.127.68 255.255.255.240 standby 10.1.127.69 
!
boot system disk0:/asa804-16-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Cluster_Network_NO_Management
 description Todas las redes del Cluster ASA excepto la Gestion
 network-object 10.1.127.0 255.255.255.240
 network-object 10.1.127.16 255.255.255.240
 network-object 10.1.127.32 255.255.255.240
 network-object 10.1.127.48 255.255.255.240
 network-object 10.1.127.96 255.255.255.240
access-list Interconex_Firewall_Nokia_V1270_access_in extended permit ip any any 
access-list vlan_clara_access_in extended permit ip any any 
access-list vlan_cifrada_access_in extended permit ip any any 
access-list Trk_v1271_v1272_v1273_access_in extended permit ip any any 
access-list gestion_gateways_access_in extended permit ip any any 
access-list management_access_out extended permit ip any any 
access-list Interconex_Firewall_Nokia_V1270_access_out extended permit ip any any 
access-list management_access_in extended permit ip any any 
access-list management_access_in_1 extended permit ip any any 
access-list Interconex_Firewall_Nokia_V1270_access_in_1 extended permit ip any any 
access-list management_access_in_2 extended permit ip any any 
access-list Interconex_Firewall_Nokia_V1270_access_in_2 extended permit ip any any 
access-list management_access_in_3 extended permit ip any any 
access-list gestion_gateways_access_out extended permit ip any any 
pager lines 24
logging enable
logging timestamp
logging standby
logging console informational
logging monitor informational
logging buffered emergencies
logging trap informational
logging history informational
logging asdm informational
logging mail informational
mtu Conex_Internet_V279 1500
mtu Interconex_Firewall_Nokia_V1270 1500
mtu Trk_v1271_v1272_v1273 1500
mtu vlan_clara 1500
mtu vlan_cifrada 1500
mtu gestion_gateways 1500
mtu management 1500
 
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 10.1.127.81 255.255.255.248 standby 10.1.127.82
no monitor-interface Conex_Internet_V279
monitor-interface vlan_clara
monitor-interface vlan_cifrada
monitor-interface gestion_gateways
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (gestion_gateways) 1 interface
access-group Interconex_Firewall_Nokia_V1270_access_in_2 in interface Interconex_Firewall_Nokia_V1270
access-group Interconex_Firewall_Nokia_V1270_access_out out interface Interconex_Firewall_Nokia_V1270
access-group Trk_v1271_v1272_v1273_access_in in interface Trk_v1271_v1272_v1273
access-group vlan_clara_access_in in interface vlan_clara
access-group vlan_cifrada_access_in in interface vlan_cifrada
access-group gestion_gateways_access_in in interface gestion_gateways
access-group gestion_gateways_access_out out interface gestion_gateways
access-group management_access_in_3 in interface management
access-group management_access_out out interface management
route Interconex_Firewall_Nokia_V1270 10.0.0.0 255.0.0.0 10.1.127.1 1
route management 10.1.27.10 255.255.255.255 10.1.127.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACS protocol tacacs+
 accounting-mode simultaneous
 max-failed-attempts 5
aaa-server ACS (Interconex_Firewall_Nokia_V1270) host 10.1.27.11
 key qwerty
aaa authentication enable console ACS LOCAL
aaa authentication http console ACS LOCAL
aaa authentication ssh console ACS LOCAL
aaa authentication telnet console ACS LOCAL
http server enable
http 10.1.27.9 255.255.255.255 management
http 10.1.27.10 255.255.255.255 management
http 10.1.27.0 255.255.255.192 management
snmp-server host Interconex_Firewall_Nokia_V1270 10.1.30.3 community pagina version 2c
snmp-server host Interconex_Firewall_Nokia_V1270 10.1.30.45 community pagina version 2c
snmp-server location SSCC
snmp-server contact CGR
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
auth-prompt prompt CISCO ASA 5540 
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 Interconex_Firewall_Nokia_V1270
telnet 10.1.27.9 255.255.255.255 management
telnet 10.1.27.10 255.255.255.255 management
telnet 10.1.27.0 255.255.255.192 management
telnet timeout 5
ssh 10.1.27.10 255.255.255.255 management
ssh 10.1.27.9 255.255.255.255 management
ssh 10.1.27.0 255.255.255.192 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
 
!
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:1f2c03596ad92fbe8dded8668770c768
: end

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:

Select allOpen in new window

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...