• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 311
  • Last Modified:

Cisco ASA - Network Routing Issue

Hi,

I am having some issues on my network here, and I have never quite seen anything like it.

I have come over to do some work in the Branch Office and I have installed an Exchange 2007 Server onto the LAN.

But, it itermitently becomes unavailable, ie outlook disconnects, you cannot ping etc.

But the problem cannot be the hardware as this server is also running vmware and the server running with vmware can be pinged and connected to even when the host server cannot.

When it is not available etc I get the below in the ASDM Log:

Inbound TCP connection denied from 192.168.200.68/1628 to companyx-exch01/3389 flags SYN  on interface inside

Does anyone know why I am seeing this?

192.168.200.68 is my client PC and the server companyx-exch01 has an ip address of 192.168.200.13.

Thanks in advance.

Paul
0
essexboy80
Asked:
essexboy80
  • 3
  • 2
1 Solution
 
Voltz-dkCommented:
Normally when traffic is blocked it will say it is blocked by an access-list, here it claims the traffic was destined for the inside interface itself.
Could you display some parts of the config?  Like interface, nat & statics?
0
 
essexboy80Author Commented:
Hi,

I had both of these in my config :

static (inside,outside) tcp interface smtp companyx-exch01 smtp netmask 255.255.255.255
static (outside,inside) tcp companyx-exch01 smtp 111.111.111.111(interface ip) smtp netmask 255.255.255.255

I had a play around with some config and removed the following and I think it has fixed it, would this make sense?

Removed :

static (outside,inside) tcp companyx-exch01 smtp 111.111.111.111(interface ip) smtp netmask 255.255.255.255

Seems better now, does that make sense?

Thanks
0
 
Voltz-dkCommented:
Yes that makes perfect sense.  It was stuff like that I was looking for when I asked you to post these config bits :)
0
 
essexboy80Author Commented:
so what was what i removed actually doing to cause issue?
0
 
Voltz-dkCommented:
In order to get down to the specific details of what happens, I'd need specific details of what you're doing.

But in general, it goes like this.  Statics dictate how the firewall uses proxy-arp, which is different from how routers would do it.
And that errant static makes the firewall respond to your arp request for the exchange, making you send the packet to the firewall - which it then discards since it doesn't have a rule for it.

If you re-enable the problem, and then wait for it to occur, you can verify my statement with "arp -a" - I'm pretty sure you'll see the IP of Exch01 mapped to the Firewall's MAC address.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now