https://community.cisco.com/t5/network-security/inbound-tcp-connection-denied/m-p/2772312#M166506 <P>Akshay,</P> <P></P> <P>i did a packet capture wizard on the cisco asa but it only showed ingress traffic - no egress but it didnt show much anyway other than an attempt&nbsp;</P> <P></P> <P>I done the packet tracer on the cisco asa and it said that the traffic was being denied by the access-list ie it seen the traffic as denied all and ropped it. &nbsp;I know an acl was applied</P> <P></P> <P>So i checked the routing on the LAN. &nbsp;It turns out this traffic needed to be routed out a different Layer 3 device and routed out the one of the ohter firewalls ( we have 3 on different sites and they are all stand alone). &nbsp;The firewalls all have the same access list</P> <P></P> <P>Bit of a nightmare but routing was the problem and as soon as it routed out the correct firewall then the access list was permitted</P> <P></P> <P>Thanks for &nbsp;your help and looking forward to trying this command on Monday</P> <P></P> <P>....<SPAN>please take the capture with 'cap drop type asp-drop all' and see the output with 'show cap drop | in &lt;source-ip&gt;'</SPAN></P> <P></P> <P>regards,</P> <P>Kevin</P> <P></P> Fri, 30 Oct 2015 19:27:06 GMT ohareka70 2015-10-30T19:27:06Z https://community.cisco.com/t5/network-security/inbound-tcp-connection-denied/m-p/2772310#M166504 <P>Hello,</P> <P></P> <P>I have a server on the corporate network and it has a rule on the firewall to allow it to talk out to another external IP for a winscp transfer over tpc/222</P> <P>It was working ok but it stopped this week saying</P> <P style="margin: 0cm 0cm 10pt;"><FONT color="#000000" face="Calibri">Inbound TCP connection denied from 10.x.x.x/49578 to 172.x.x.x/222 flags SYN on interface inside</FONT></P> <P style="margin: 0cm 0cm 10pt;"><FONT color="#000000" face="Calibri"></FONT></P> <P style="margin: 0cm 0cm 10pt;"><FONT color="#000000" face="Calibri">I am not seeing it hit the firewall except to say that its being denied by an Access Rule</FONT></P> <P style="margin: 0cm 0cm 10pt;"><FONT color="#000000" face="Calibri"></FONT></P> <P style="margin: 0cm 0cm 10pt;"><FONT color="#000000" face="Calibri"></FONT><FONT color="#000000" face="Calibri">Any ideas</FONT></P> <P style="margin: 0cm 0cm 10pt;"><FONT color="#000000" face="Calibri">Kevin</FONT></P> <P><FONT color="#000000" face="Times New Roman"> </FONT></P> Tue, 12 Mar 2019 06:48:41 GMT https://community.cisco.com/t5/network-security/inbound-tcp-connection-denied/m-p/2772310#M166504 ohareka70 2019-03-12T06:48:41Z https://community.cisco.com/t5/network-security/inbound-tcp-connection-denied/m-p/2772311#M166505 <P>Hi Kevin,</P> <P>- Is there any recent changes made on the ASA?</P> <P>- when you say you do not see it hitting the firewall; how did you check that? did you take any capture on these ingress and egress interface?</P> <P>- could you please take the output of packet-tracer on the ASA.</P> <P>'packet-tracer input &lt;source interface&gt; tcp &lt;source-ip&gt; 123445 &lt;destination-ip&gt; 222 detail' and check where it is dropping.</P> <P>As you had mentioned it is being denied by ACL, try placing permit acl for this traffic on line 1 on that concerned access-list.</P> <P>Also you could take captures on ASA. please take the capture with 'cap drop type asp-drop all' and see the output with 'show cap drop | in &lt;source-ip&gt;'</P> <P></P> <P>Please share your findings.</P> <P>Regards,</P> <P>Akshay Rastogi</P> Fri, 30 Oct 2015 16:49:38 GMT https://community.cisco.com/t5/network-security/inbound-tcp-connection-denied/m-p/2772311#M166505 Akshay Rastogi 2015-10-30T16:49:38Z https://community.cisco.com/t5/network-security/inbound-tcp-connection-denied/m-p/2772312#M166506 <P>Akshay,</P> <P></P> <P>i did a packet capture wizard on the cisco asa but it only showed ingress traffic - no egress but it didnt show much anyway other than an attempt&nbsp;</P> <P></P> <P>I done the packet tracer on the cisco asa and it said that the traffic was being denied by the access-list ie it seen the traffic as denied all and ropped it. &nbsp;I know an acl was applied</P> <P></P> <P>So i checked the routing on the LAN. &nbsp;It turns out this traffic needed to be routed out a different Layer 3 device and routed out the one of the ohter firewalls ( we have 3 on different sites and they are all stand alone). &nbsp;The firewalls all have the same access list</P> <P></P> <P>Bit of a nightmare but routing was the problem and as soon as it routed out the correct firewall then the access list was permitted</P> <P></P> <P>Thanks for &nbsp;your help and looking forward to trying this command on Monday</P> <P></P> <P>....<SPAN>please take the capture with 'cap drop type asp-drop all' and see the output with 'show cap drop | in &lt;source-ip&gt;'</SPAN></P> <P></P> <P>regards,</P> <P>Kevin</P> <P></P> Fri, 30 Oct 2015 19:27:06 GMT https://community.cisco.com/t5/network-security/inbound-tcp-connection-denied/m-p/2772312#M166506 ohareka70 2015-10-30T19:27:06Z