Cisco ASA - Network Routing Issue

Posted on 2009-04-27
Last Modified: 2012-05-06

I am having some issues on my network here, and I have never quite seen anything like it.

I have come over to do some work in the Branch Office and I have installed an Exchange 2007 Server onto the LAN.

But, it itermitently becomes unavailable, ie outlook disconnects, you cannot ping etc.

But the problem cannot be the hardware as this server is also running vmware and the server running with vmware can be pinged and connected to even when the host server cannot.

When it is not available etc I get the below in the ASDM Log:

Inbound TCP connection denied from to companyx-exch01/3389 flags SYN  on interface inside

Does anyone know why I am seeing this? is my client PC and the server companyx-exch01 has an ip address of

Thanks in advance.

Question by:essexboy80
    LVL 15

    Expert Comment

    Normally when traffic is blocked it will say it is blocked by an access-list, here it claims the traffic was destined for the inside interface itself.
    Could you display some parts of the config?  Like interface, nat & statics?
    LVL 1

    Author Comment


    I had both of these in my config :

    static (inside,outside) tcp interface smtp companyx-exch01 smtp netmask
    static (outside,inside) tcp companyx-exch01 smtp ip) smtp netmask

    I had a play around with some config and removed the following and I think it has fixed it, would this make sense?

    Removed :

    static (outside,inside) tcp companyx-exch01 smtp ip) smtp netmask

    Seems better now, does that make sense?

    LVL 15

    Expert Comment

    Yes that makes perfect sense.  It was stuff like that I was looking for when I asked you to post these config bits :)
    LVL 1

    Author Comment

    so what was what i removed actually doing to cause issue?
    LVL 15

    Accepted Solution

    In order to get down to the specific details of what happens, I'd need specific details of what you're doing.

    But in general, it goes like this.  Statics dictate how the firewall uses proxy-arp, which is different from how routers would do it.
    And that errant static makes the firewall respond to your arp request for the exchange, making you send the packet to the firewall - which it then discards since it doesn't have a rule for it.

    If you re-enable the problem, and then wait for it to occur, you can verify my statement with "arp -a" - I'm pretty sure you'll see the IP of Exch01 mapped to the Firewall's MAC address.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Suggested Solutions

    Title # Comments Views Activity
    export data from ASA 5 44
    Cisco SG300 VLAN problem 8 33
    Find VLAN ID's 6 25
    Cisco 4500 - Supervisor cards and licensing 2 17
    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now