topic TCP SYN Timeout ASA5505 in Network Security

TCP SYN Timeout ASA5505

ruud.manders — Tue, 12 Mar 2019 02:25:56 GMT

Hi all,

I have a Cisco877 DSL router wich is in bridge mode so the ASA5505 gets the public IP.

This works, however nothing else is.

I'm unable to access the Internet, i cant access the ASA on the Outside Interface.

All results in SYN errors.

I'm stuck and would appriciate some help.

Thanks in advance.

Ruud

Config Cisco877

bridge irb

interface ATM0

no ip address

no atm ilmi-keepalive

interface ATM0.1 point-to-point

ip virtual-reassembly in

atm route-bridged ip

bridge-group 1

pvc 0/35

encapsulation aal5snap

interface FastEthernet0

no ip address

interface FastEthernet1

no ip address

interface FastEthernet2

no ip address

interface FastEthernet3

no ip address

interface Vlan1

no ip address

bridge-group 1

ip forward-protocol nd

no ip http server

no ip http secure-server

bridge 1 protocol ieee

bridge 1 route ip

Config ASA5505

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan11

nameif outside

security-level 0

ip address dhcp setroute

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any4 any4

access-list global_access extended permit ip any any

access-list global_access extended permit icmp any4 any4

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any4 any4

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic any interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group global_access global

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.100-192.168.1.200 inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption aes256-sha1 aes128-sha1 rc4-sha1

Re: TCP SYN Timeout ASA5505

Karsten Iwen — Thu, 15 Aug 2013 08:09:05 GMT

Your ASA tries to get it's outside IP by DHCP, but it has to use PPPOE:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080ab7ce9.shtml

BTW: Using an IOS router as a dsl modem is really a waste of ressources. A cheap dsl-modem would be fine for that.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

TCP SYN Timeout ASA5505

ruud.manders — Thu, 15 Aug 2013 08:22:25 GMT

The ASA is getting the right address using DHCP.

I dont have a username and password so i cant use PPPoE.

The Cisco 877 was the device i used before to access the Internet with this DSL line.

There was no need for PPPoE.

See the old config of the 877 below:

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

aaa new-model

aaa authentication login local_authen local

aaa authorization exec local_author local

aaa session-id common

crypto pki certificate chain tti

crypto pki certificate chain TP-self-signed-3629992121

certificate self-signed 01

quit

dot11 syslog

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.100.1 192.168.100.9

ip dhcp excluded-address 192.168.100.16 192.168.100.254

ip dhcp pool Internet-pool

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 217.149.192.6 217.149.196.6

domain-name uni.nl

ip vrf Secure

no ip bootp server

ip domain name uni.nl

ip inspect name inspect-out http urlfilter audit-trail off

ip inspect name inspect-in http urlfilter audit-trail off

ip urlfilter exclusive-domain permit .windowsupdate.com

ip urlfilter exclusive-domain permit .microsoft.com

multilink bundle-name authenticated

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

interface Null0

no ip unreachables

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

interface ATM0.1 point-to-point

ip address dhcp

ip nat outside

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

atm route-bridged ip

pvc 0/35

encapsulation aal5snap

interface FastEthernet0

switchport access vlan 10

interface FastEthernet1

switchport access vlan 10

interface FastEthernet2

switchport access vlan 10

interface FastEthernet3

description SecureNetwerk

switchport access vlan 20

interface Vlan20

ip address 192.168.100.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip inspect inspect-in in

ip virtual-reassembly

ip route-cache flow

interface Vlan10

ip address 10.10.10.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 ATM0.1

ip http server

ip http access-class 5

ip http authentication local

ip http secure-server

ip nat inside source list 1 interface ATM0.1 overload

ip nat inside source static esp 10.10.10.4 interface ATM0

ip nat inside source static tcp 10.10.10.2 443 85.223.x.y 443 extendable

TCP SYN Timeout ASA5505

Karsten Iwen — Thu, 15 Aug 2013 08:52:15 GMT

The ASA is getting the right address using DHCP.

I dont have a username and password so i cant use PPPoE.

oh, I wasn't aware of any DSL-provider using DHCP. Only saw PPPoE ...

Can you reach any destinations (inside or outside) *from* the ASA?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

TCP SYN Timeout ASA5505

ruud.manders — Thu, 15 Aug 2013 09:04:45 GMT

No, i cant reach anything.

When i do a packet trace it shows i should be able to connect. Nothing in its way that blocking traffic.

TCP SYN Timeout ASA5505

Karsten Iwen — Thu, 15 Aug 2013 09:30:57 GMT

No, i cant reach anything.

Not even an internal system? How is your internal setup? And post the output of "show route".

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: TCP SYN Timeout ASA5505

SHAWN EFTINK — Thu, 15 Aug 2013 10:29:25 GMT

When your ASA gets an IP from DHCP, it also gets a gateway address. Can you ping the gateway address from the outside interface of the ASA?

Sent from Cisco Technical Support iPhone App

TCP SYN Timeout ASA5505

Michael Muenz — Fri, 16 Aug 2013 08:24:05 GMT

Perhaps the provider limited access to the MAC address of ATM device, since there's no authentication with DHCP?

Michael

Please rate all helpful posts