frukeus
asked on
Site-to-Site VPN Deny TCP SYN ACK on interface outside
I have created a Site-to-Site VPN for 2 ASA firewalls and is able to ping both internal subnets with no problem.
However, on 1 print server 192.168.2.4 which is hosting a remote printer 172.10.100.100, I can unable to print. From the print server, i ran ping test and I can successfully ping 172.10.100.100.
On the firewall log at 192.168.1.253, I get the following message which I believe is the problem-
Teardown TCP connection 12979303 for outside: 172.10.100.100/9100 to inside 192.168.2.4/2172 duration 0:00:00 bytes 0 TCP Reset-I
Deny TCP (no connection) from 172.10.100.100/9100 to 192.168.2.4/2172 flags SYN ACK on interface outside
192.168.2.4 (Print Server)
|
192.168.2.1 (Router)
|
192.168.1.253 (ASA)
||
VPN Tunnel
||
172.10.100.253 (ASA)
|
172.10.100.100 (printer)
However, on 1 print server 192.168.2.4 which is hosting a remote printer 172.10.100.100, I can unable to print. From the print server, i ran ping test and I can successfully ping 172.10.100.100.
On the firewall log at 192.168.1.253, I get the following message which I believe is the problem-
Teardown TCP connection 12979303 for outside: 172.10.100.100/9100 to inside 192.168.2.4/2172 duration 0:00:00 bytes 0 TCP Reset-I
Deny TCP (no connection) from 172.10.100.100/9100 to 192.168.2.4/2172 flags SYN ACK on interface outside
192.168.2.4 (Print Server)
|
192.168.2.1 (Router)
|
192.168.1.253 (ASA)
||
VPN Tunnel
||
172.10.100.253 (ASA)
|
172.10.100.100 (printer)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
is there a way to disable the stateful inspection? well, at least for the 2 subnets in question.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think feeling the printer is configured to a gateway that is 172.20.100.1 and not directly to the 172.10.100.253.
Could that be causing the SYN ACK deny?