BarepAssets
asked on
Problem with ASA connection
Hi,
I am having issue with a new installation of asa 5520. My outside routers
are running bgp the bgp traffic from my outside routers goes through my production firewall to vlan hosting the routers to the dr site then out to the dr to the dr routers who are part of the bgp process. So basically the bgp protocol traffic goes through the production firewall i am getting the following error
The traffic is been blocked
2 Sep 20 2010 10:21:34 106001 192.63.0.2 11271 192.63.128.2 179 Inbound TCP connection denied from 192.63.0.2/11271 to 192.63.128.2/179 flags SYN on interface OUTSIDE
looks to me like a simple allow rule to me . I have gone as far as allowing ip any any on the outside interface still not working .
ANy ideas If i do not get them up soon i am going have to roll back so any help would be greatly appreciated.
Thks,
I am having issue with a new installation of asa 5520. My outside routers
are running bgp the bgp traffic from my outside routers goes through my production firewall to vlan hosting the routers to the dr site then out to the dr to the dr routers who are part of the bgp process. So basically the bgp protocol traffic goes through the production firewall i am getting the following error
The traffic is been blocked
2 Sep 20 2010 10:21:34 106001 192.63.0.2 11271 192.63.128.2 179 Inbound TCP connection denied from 192.63.0.2/11271 to 192.63.128.2/179 flags SYN on interface OUTSIDE
looks to me like a simple allow rule to me . I have gone as far as allowing ip any any on the outside interface still not working .
ANy ideas If i do not get them up soon i am going have to roll back so any help would be greatly appreciated.
Thks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Unfortunately I haven't worked with 8.3 code yet, so I'm at a disadvantage here. I know 8.3 introduced changes in how NAT is handled, but from the config you show, it looks like you're not doing NAT. Can I assume the ASA is in routed (layer 3) mode? I have to go now, will try to find some more pointers on troubleshooting when I get back.
ASKER
cheers jmeggers i resolved the 2nd part of it basically it was same-security interface we have additional vlan connected to firewall with the router to the dr site these were set to the same security level i will give you the full points as i think would have ran into issue not having added the bgp md5 policy map anyway think was two fold solutiion yes nat has changed loads :( found this part of the upgrade hardest just trying get use to the new nat will just takes some getting use to thx again for your help
That's a perfect example of why attaching only portions of the config doesn't always help. I probably wouldn't have thought to ask that question unless I could see all the configuration. Good job on solving the problem, though.
ASKER
i have tried the above still not working the following is the code i have successifully put into to the config of the asa i am on ios 8.3.2(1)
access-list BGP-MD5-ACL extended permit tcp host 192.63.128.2 host 192.63.0.3 eq bgp
access-list BGP-MD5-ACL extended permit tcp host 192.63.128.2 host 192.63.0.2 eq bgp
access-list BGP-MD5-ACL extended permit tcp host 192.63.0.2 host 192.63.128.2 eq bgp
access-list BGP-MD5-ACL extended permit tcp host 192.63.0.3 host 192.63.128.2 eq bgp
!
tcp-map BGP-MD5-OPTION-ALLOW
tcp-options range 19 19 allow
class-map CLASS-BGP-MD5
match access-list BGP-MD5-ACL
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class CLASS-BGP-MD5
set connection random-sequence-number disable
set connection advanced-options BGP-MD5-OPTION-ALLOW
!
service-policy global_policy global
is the access-list for the outside interface allowing is also been put in