Inbound TPC connnection denied - despite access list rules

hrmcardle0 — Fri, 21 Feb 2020 16:32:05 GMT

So I'm working on moving our citrix enviroment to our new building. However once changing all the ip's and updating the access list rules, it wasn't working. Doing the sh logging command, I see the following blocking the citrix traffic on port 8080:

Inbound TPC connnection denied from 72.9.2.126/55263 to 72.9.2.127/8080 flags SYN on interface outside

Anyone know why this is caused? I'm pretty sure my access-list is allowing port 8080 traffic, as you can see from my config.



interface Ethernet0/0
 description To cable modem
 switchport access vlan 2
!
interface Ethernet0/1
 description IIS SERVER - THIS is the 72.9.2.126 server
 switchport access vlan 2
!
interface Ethernet0/2
 description xx
 switchport access vlan 2
!
interface Ethernet0/3
 description xx
 switchport access vlan 2
!
interface Ethernet0/4
 description [This is the 72.9.2.127 server]
 switchport access vlan 10
!
interface Ethernet0/5
 description xx
 switchport access vlan 10
!
interface Ethernet0/6
 description xx
 switchport access vlan 10
!
interface Ethernet0/7
 switchport access vlan 10
!
interface Vlan2
 nameif outside
 bridge-group 1
 security-level 0
!
interface Vlan10
 nameif inside
 bridge-group 1
 security-level 100
!
interface BVI1
 ip address 72.9.2.128 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name setb.ad.dmz
object-group network inside_host
 network-object host 208.90.140.23
 network-object host 208.90.140.35
 network-object host 208.90.140.29
 network-object host 208.90.140.163
 network-object host 208.90.140.28
 network-object host 208.90.140.175
 network-object host 208.90.140.27
 network-object host 208.90.140.161
 network-object host 72.9.2.123
 network-object host 72.9.2.120
 network-object host 72.9.2.121
 network-object host 72.9.2.125
 network-object host 72.9.2.126
 network-object host 72.9.2.127
 network-object host 72.9.2.133
 network-object host 72.9.2.134
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_in extended permit tcp host 72.9.2.125 any eq 8080
access-list outside_in extended permit tcp host 72.9.2.126 any eq 8080
access-list outside_in extended permit tcp host 72.9.2.125 object-group inside_host eq 8080
access-list outside_in extended permit tcp host 72.9.2.126 object-group inside_host eq 8080
access-list outside_in extended permit tcp object-group inside_host object-group inside_host eq 8080
access-list outside_in extended permit tcp any host 72.9.2.126 eq www
access-list outside_in extended permit tcp any host 72.9.2.126 eq https
access-list outside_in extended permit tcp any host 72.9.2.125 eq https
access-list outside_in extended permit tcp any host 72.9.2.126 eq 1434
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.133 eq 1434 inactive
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.133 eq 1433 inactive
access-list outside_in extended permit udp host 72.9.2.125 object-group inside_host eq 1434
access-list outside_in extended permit tcp host 72.9.2.125 object-group inside_host eq 1434
access-list outside_in extended permit udp host 72.9.2.125 object-group inside_host eq 1433
access-list outside_in extended permit tcp host 72.9.2.125 object-group inside_host eq 1433
access-list outside_in extended permit udp host 72.9.2.126 object-group inside_host eq 1434
access-list outside_in extended permit tcp host 72.9.2.126 object-group inside_host eq 1434
access-list outside_in extended permit udp host 72.9.2.126 object-group inside_host eq 1433
access-list outside_in extended permit tcp host 72.9.2.126 object-group inside_host eq 1433
access-list outside_in extended permit tcp host 72.9.2.126 72.9.2.0 255.255.255.0 eq 135
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.123 eq ldap
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.123 eq 88 log
access-list outside_in extended permit udp host 72.9.2.126 host 72.9.2.123 eq 88
access-list outside_in extended permit udp host 72.9.2.126 host 72.9.2.123 eq domain
access-list outside_in extended permit udp host 72.9.2.126 host 72.9.2.123 eq 389
access-list outside_in extended permit ip host 72.9.2.126 host 72.9.2.123 log
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.127 eq 8080
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.123 eq 8080
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.121 eq 8080
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.127 eq citrix-ica
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.133 eq citrix-ica
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.121 eq citrix-ica
access-list outside_in extended deny ip any any log
access-list outside_out extended permit icmp object-group inside_host any
access-list outside_out extended permit tcp object-group inside_host any
access-list outside_out extended permit udp object-group inside_host any
access-list outside_out extended permit tcp host 72.9.2.126 any eq www inactive
access-list outside_out extended permit tcp host 72.9.2.126 any eq https inactive
access-list outside_out extended permit tcp host 72.9.2.126 host 72.9.2.127 eq 8080 inactive
access-list outside_out extended deny ip any any log
access-list inside_in extended permit udp object-group inside_host any eq domain
access-list inside_in extended permit tcp object-group inside_host host 72.9.2.126 eq 501
access-list inside_in extended permit tcp object-group inside_host any eq ftp
access-list inside_in extended permit tcp object-group inside_host any eq www
access-list inside_in extended permit tcp object-group inside_host any eq https
access-list inside_in extended permit udp host 72.9.2.23 any eq domain inactive
access-list inside_in extended permit tcp host 72.9.2.127 host 72.9.2.125 eq 9669
access-list inside_in extended deny ip any any log

Thanks.

Re: Inbound TPC connnection denied - despite access list rules

mkazam001 — Tue, 04 Dec 2018 23:24:21 GMT

i see the entry, its specifically allowed here

access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.127 eq 8080

but it will hit this entry first where ALL traffic is allowed anyway

access-list outside_access_in extended permit ip any any

i've never setup asa in transparent mode so not familiar with this type of config

do you not need to apply the acl to the outside interface ass it has security-level 0 & inside is 100?

regards, mk

Re: Inbound TPC connnection denied - despite access list rules

mkazam001 — Tue, 04 Dec 2018 23:27:56 GMT

do you have this cmd?

access-group outside_in in interface outside

regards, mk

topic Re: Inbound TPC connnection denied - despite access list rules in Network Security

Inbound TPC connnection denied - despite access list rules

Re: Inbound TPC connnection denied - despite access list rules

Re: Inbound TPC connnection denied - despite access list rules