topic Re: ASA 8.4 no connection one interface to another in Network Security

ASA 8.4 no connection one interface to another

JDMJeffy84 — Tue, 12 Mar 2019 00:54:51 GMT

Hi guys,

I'm stuck on a particular issue, I can see this in SYSLOG:

Deny TCP (no connection) from 192.168.112.x./x to 192.168.115.x/x flags SYN ACK on interface inside

Teardown TCP connection 7844974 for fw-mgmt:192.168.115.x/x to inside:192.168.112.x/x duration 0:00:00 bytes 0 No valid adjacency

Routing failed to locate next hop for TCP from inside:192.168.112.x/x to fw-mgmt:192.168.115.x/x

I've tried adding a static route on firewall:

route fw-mgmt 192.168.115.0 255.255.255.0 192.168.112.1
ERROR: Cannot add route, connected route exists

Any ideas what this could be?

Thanks

Re: ASA 8.4 no connection one interface to another

Karsten Iwen — Thu, 31 Jan 2013 12:04:16 GMT

Do you have an interface in the 192.168.115.0 network? Please post the output of

asa# sh int ip brie

And which systems are communicating? What are there Locations (interfaces) and IP-addresses?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ASA 8.4 no connection one interface to another

JDMJeffy84 — Thu, 31 Jan 2013 12:21:04 GMT

I have a server in the 115 subnet 192.168.115.100 and requires communication to 192.168.112.100 in 112 subnet

Ethernet0/1                unassigned
Ethernet0/1.112            192.168.112.x    inside 100
Ethernet0/1.118            192.168.118.x   fw-mgmt 80
Ethernet0/2                192.168.115.x dmz 50
Ethernet0/3                192.168.64.x    inner-mgmt 100
Management0/0              1.1.1.1

Thanks

Re: ASA 8.4 no connection one interface to another

Karsten Iwen — Thu, 31 Jan 2013 12:32:45 GMT

So you have a communication from dmz to inside?

Paste your NAT- config and the ACL on the dmz-interface.

And what is the output of packet-tracer:

packet-tracer input dmz 192.168.115.100 1234 192.168.112.100 PORT-YOU-WANT-TO-USE

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: ASA 8.4 no connection one interface to another

JDMJeffy84 — Thu, 31 Jan 2013 12:50:56 GMT

Sorry the IP add is 115.91 and 112.54

access-list DMZ_IN extended permit tcp 192.168.115.0 255.255.255.0 host 192.168.115.251 object-group srv_WebPorts

access-list DMZ_IN extended permit object-group srv_VMwareIn object-group DMZ_VirtualHosts object vCentre

access-list DMZ_IN extended permit ip object-group DMZ_VirtualHosts object vCentre

access-list DMZ_IN extended permit udp 192.168.115.0 255.255.255.0 host 192.168.112.100 eq ntp

access-list DMZ_IN extended permit tcp host 192.168.115.91 host 192.168.112.54 eq 5723

access-list DMZ_IN extended permit tcp host 192.168.112.54 host 192.168.115.91 eq 5723

access-list DMZ_IN extended deny ip any any log

object network inside_NAT

subnet 192.168.112.0 255.255.255.0

object network vCentre

host 192.168.112.206

object network vCentre-DMZ_NAT

host 192.168.115.253

object network SECISM

host 192.168.112.100

object network SECISM-DMZ_NAT

host 192.168.115.252

nat (inside,outside) source static inside_NAT inside_NAT

nat (inside,dmz) source static vCentre vCentre-DMZ_NAT

nat (inside,dmz) source static SECISM SECISM-DMZ_NAT

nat (inside,outside) source dynamic inside_NAT interface

object network vCentre

nat (inside,dmz) static 192.168.115.253 dns

object network SECMGMT01

nat (inside,dmz) static 192.168.115.252

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.112.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_IN in interface dmz
access-list DMZ_IN extended permit tcp host 192.168.115.91 host 192.168.112.54 eq 5723
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7901509, packet dispatched to next module

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Re: ASA 8.4 no connection one interface to another

Karsten Iwen — Thu, 31 Jan 2013 13:50:05 GMT

Your ASA says that the traffic should work. What config do you have regarding interface "fw-mgmt"?

And test again and show the corresponding log.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni