https://community.cisco.com/t5/network-security/asa-5580-mysql-port-access-problem/m-p/3203884#M1065291 <P>hi friends, my ASA 5580 has an interface called FTTH with 192.168.51.254 ip add. and that interf. is connected to a Switch through vlan51 with 192.168.51.253 ip addr. I already added to ASA the following route:<BR />route FTTH 192.168.60.200 255.255.255.255 192.168.51.253 1<BR />so I can ping from 192.168.60.200 to any PC in vlan51 (i.e: 192.168.51.200) and viceversa, so far so good... but the problem is that I can't access to any other service like FTP, SSH or mysql (mainly this) in vlan 51 from 192.168.60.200...so, do I need to create some rule for this??? can anybody help me please??? Thanks in advance.</P> <P>&nbsp;</P> <P>Here's an update:</P> <P>when I try to access from 192.168.60.200 to 192.168.51.200 using FTP and chekc the Real-Time Log Viewer in ASDM I get:</P> <P>6&nbsp;&nbsp; &nbsp;Oct 24 2017&nbsp;&nbsp; &nbsp;11:20:13&nbsp;&nbsp; &nbsp;106015&nbsp;&nbsp; &nbsp;192.168.51.200&nbsp;&nbsp; &nbsp;445&nbsp;&nbsp; &nbsp;192.168.60.200&nbsp;&nbsp; &nbsp;52667&nbsp;&nbsp; &nbsp;Deny TCP (no connection) from 192.168.51.200/445 to 192.168.60.200/52667 flags SYN ACK&nbsp; on interface FTTH<BR />The ASA discarded a TCP packet that has no associated connection in the ASA connection table. The ASA looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is no existing connection, the ASA discards the packet. </P> Fri, 21 Feb 2020 14:33:11 GMT gasparmenendez 2020-02-21T14:33:11Z https://community.cisco.com/t5/network-security/asa-5580-mysql-port-access-problem/m-p/3203884#M1065291 <P>hi friends, my ASA 5580 has an interface called FTTH with 192.168.51.254 ip add. and that interf. is connected to a Switch through vlan51 with 192.168.51.253 ip addr. I already added to ASA the following route:<BR />route FTTH 192.168.60.200 255.255.255.255 192.168.51.253 1<BR />so I can ping from 192.168.60.200 to any PC in vlan51 (i.e: 192.168.51.200) and viceversa, so far so good... but the problem is that I can't access to any other service like FTP, SSH or mysql (mainly this) in vlan 51 from 192.168.60.200...so, do I need to create some rule for this??? can anybody help me please??? Thanks in advance.</P> <P>&nbsp;</P> <P>Here's an update:</P> <P>when I try to access from 192.168.60.200 to 192.168.51.200 using FTP and chekc the Real-Time Log Viewer in ASDM I get:</P> <P>6&nbsp;&nbsp; &nbsp;Oct 24 2017&nbsp;&nbsp; &nbsp;11:20:13&nbsp;&nbsp; &nbsp;106015&nbsp;&nbsp; &nbsp;192.168.51.200&nbsp;&nbsp; &nbsp;445&nbsp;&nbsp; &nbsp;192.168.60.200&nbsp;&nbsp; &nbsp;52667&nbsp;&nbsp; &nbsp;Deny TCP (no connection) from 192.168.51.200/445 to 192.168.60.200/52667 flags SYN ACK&nbsp; on interface FTTH<BR />The ASA discarded a TCP packet that has no associated connection in the ASA connection table. The ASA looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is no existing connection, the ASA discards the packet. </P> Fri, 21 Feb 2020 14:33:11 GMT https://community.cisco.com/t5/network-security/asa-5580-mysql-port-access-problem/m-p/3203884#M1065291 gasparmenendez 2020-02-21T14:33:11Z https://community.cisco.com/t5/network-security/asa-5580-mysql-port-access-problem/m-p/3204429#M1065292 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/223661">@gasparmenendez</a></P> <P>&nbsp;</P> <P>&nbsp; Where does&nbsp;<SPAN>192.168.60.200 comes from ? Another ASA interface?</SPAN></P> <P><SPAN>In terms of routing, direct connected interface should not require routing, ASA should have those interface on the routing table already.&nbsp;</SPAN></P> <P><SPAN>&nbsp; ACL may be necessary, depending&nbsp;on the topology.&nbsp;&nbsp;</SPAN></P> <P><SPAN>Make sure those services are running on the target servers.</SPAN></P> <P>&nbsp;</P> <P><SPAN>-If I helped you somehow, please, rate it as useful.-</SPAN></P> <P>&nbsp;</P> Tue, 24 Oct 2017 18:19:49 GMT https://community.cisco.com/t5/network-security/asa-5580-mysql-port-access-problem/m-p/3204429#M1065292 Flavio Miranda 2017-10-24T18:19:49Z https://community.cisco.com/t5/network-security/asa-5580-mysql-port-access-problem/m-p/3204442#M1065293 <P>hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/178747">@Flavio Miranda</a>,<BR /><A id="link_14" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://supportforums.cisco.com/t5/user/viewprofilepage/user-id/178747" target="_self"></A></P> <P><SPAN>192.168.60.200</SPAN> comes from another ASA in fact, that's why I had to add the route...but like I said ping is ok, but just ping. I already checked and <SPAN>those services are running on the target servers.</SPAN> Any more ideas????</P> <P>Thanks!!</P> Tue, 24 Oct 2017 18:36:16 GMT https://community.cisco.com/t5/network-security/asa-5580-mysql-port-access-problem/m-p/3204442#M1065293 gasparmenendez 2017-10-24T18:36:16Z