Cisco ASA 5505 - Inside to Inside help

Posted on 2009-04-01
Last Modified: 2012-05-06
Greetings all!

I have a 5505 on  I need to access other switches and routers at our remote offices on networks and  When I try this from my machine, I get:

"Inbound TCP connection denied from to flags SYN  on interface inside"

Either this won't work because of the inherit ASA routing security or I need some NAT entries (or something else).  Any advice would be appreciated!   Thank you.

Results of "sh run":

ASA Version 8.0(4)23 


hostname ciscoasa

domain-name priority.local



interface Vlan1

 nameif inside

 security-level 100

 ip address 


interface Vlan2

 nameif outside

 security-level 0

 ip address 


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


boot system disk0:/currentsoftware/asa804-23-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name priority.local

pager lines 24

logging enable

logging timestamp

logging trap critical

logging asdm informational

logging host inside

logging permit-hostdown

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/currentsoftware/asdm-61557.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

route outside 1

route inside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL 

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self

 subject-name CN=ciscoasa

 crl configure

telnet timeout 5

ssh inside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd auto_config outside


threat-detection basic-threat

threat-detection scanning-threat shun except ip-address

threat-detection scanning-threat shun except ip-address

threat-detection scanning-threat shun except ip-address

threat-detection scanning-threat shun duration 3600

threat-detection statistics host

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server source outside prefer


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 


service-policy global_policy global

prompt hostname context 


: end

Open in new window

Question by:knoxlogic
  • 2
  • 2
LVL 43

Expert Comment

ID: 24039921
You need to set the hosts default gateway to and then make sure the router has a default route via the ASA.

You can enable same interface traffic but you are still going to have an issue with TCP connections.

Author Comment

ID: 24042102
I'm not sure I can do this, as is setup as our MPLS router, via our LEC.  We/I don't manage that.  
LVL 43

Accepted Solution

JFrederick29 earned 500 total points
ID: 24042141
Okay, do you have a layer3 switch on the network?

Here's the problem when you attempt to communicate to the remote network with your current setup.

TCP SYN from to goes to ASA then to MPLS router then to client (okay so far)
TCP SYN ACK from goes to MPLS router then to (bypassing ASA).
TCP ACK from to goes to ASA and the ASA denies the connection since it didn't see the SYN ACK.

If you can't use the MPLS router as the gateway for the subnet and you don't have a layer 3 switch on the subnet, the only other alternative is to add routes to every PC for the remote networks:

route add mask -p
route add mask -p

Author Closing Comment

ID: 31565333
I'll have to get a Layer3 switch to get this working "correctly", but for now, your route statements did the trick.  Thanks!

FYI... for anyone seeing this issue and running these route commands in Windows Vista with UAC turned on, you'll have to make sure you run "cmd" as an administrator (being logged in as one doesn't work).  To do this:

start -> type "cmd" -> ctrl-shift-enter

That will put you in "admin" mode for command line.

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sonicwall VPN 17 74
Sonicwall static IP setup with AT&T "Network on Demand" fiber 6 98
ASA 5510 PAT question 1 27
Sonicwall routing between VPNs 5 46
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now