https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242180#M876192 <HTML><HEAD></HEAD><BODY><P>on another network.</P><P>the devices are on different switchs and different vlans, but all traficc is routed to internal-interface of FW. </P></BODY></HTML> Wed, 18 Feb 2009 14:31:08 GMT SpeedLottery 2009-02-18T14:31:08Z https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242178#M876189 <P>Hi,</P><P>I need to computers (on different VLANS) but pointing to the FW to connect via specific tcp ports. </P><P>I'm getting this syslog message.</P><P>106015 Deny TCP (no connection) from 192.168.167.64/1433 to 192.168.167.80/1796 flag SYN ACK on internal interface.</P><P></P><P>Should i add an acl into internal-interface and how?</P><P></P><P>Thanks.</P><P></P><P> </P><P></P> Mon, 11 Mar 2019 14:52:19 GMT https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242178#M876189 SpeedLottery 2019-03-11T14:52:19Z https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242179#M876190 <HTML><HEAD></HEAD><BODY><P>Errrm from your post - the traffic is from a device to another device on the same network?</P></BODY></HTML> Wed, 18 Feb 2009 12:55:18 GMT https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242179#M876190 andrew.prince 2009-02-18T12:55:18Z https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242180#M876192 <HTML><HEAD></HEAD><BODY><P>on another network.</P><P>the devices are on different switchs and different vlans, but all traficc is routed to internal-interface of FW. </P></BODY></HTML> Wed, 18 Feb 2009 14:31:08 GMT https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242180#M876192 SpeedLottery 2009-02-18T14:31:08Z https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242181#M876194 <HTML><HEAD></HEAD><BODY><P>OK - just one question what is device "192.168.165.61"</P><P></P><P>taken from your firewall config:-</P><P>"route internal-interface 192.168.167.0 255.255.255.0 192.168.165.61"</P></BODY></HTML> Wed, 18 Feb 2009 14:44:53 GMT https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242181#M876194 andrew.prince 2009-02-18T14:44:53Z https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242182#M876197 <HTML><HEAD></HEAD><BODY><P>ok,</P><P>becouse 192.168.165.0 is the internal network, and there is another network on other switch, which i connected with a crossover cable, and so i configured on that third switch an interface from vlan 1 with this 192.1658.165.61 ip, so that the internal network knows how to reach the 192.168.167.0 network.</P></BODY></HTML> Wed, 18 Feb 2009 14:56:45 GMT https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242182#M876197 SpeedLottery 2009-02-18T14:56:45Z https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242183#M876199 <HTML><HEAD></HEAD><BODY><P>OK - here's the thing, what you have done makes no sense, you have multiple layer 3 interfaces on multiple switches, the routing will not be correct or best practise.</P><P></P><P>What device is handling the vlan to vlan IP routing?</P></BODY></HTML> Wed, 18 Feb 2009 15:02:37 GMT https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242183#M876199 andrew.prince 2009-02-18T15:02:37Z https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242184#M876202 <HTML><HEAD></HEAD><BODY><P>I attach the switches config.</P><P>ip routing is enabled in all switches, and ping is ok from hosts on vlan30 to hosts on vlan1 but there are issues like the tcp ports that i dont understand.</P><P>that's why i said that if the FW is denying the tcp connection i guess i should allow it somehow.</P><P>i just need a host on the 192.168.165.0 to connect via specific tcp ports to another host on the 192.168.167.0 network.</P><P></P><P> </P><P></P></BODY></HTML> Wed, 18 Feb 2009 15:17:08 GMT https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242184#M876202 SpeedLottery 2009-02-18T15:17:08Z https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242185#M876205 <HTML><HEAD></HEAD><BODY><P>From your configs - All swithches are effectivly routers, ans switches. I can see no order, i.e core, distribution, access switch.</P><P></P><P>I find it quite surprising that the firewall is seeing a tcp request from 2 machines on vlan30 - as they are in the same broadcast domain and do not need to go thru a layer 3 device.</P><P></P><P>The fact you have 3 layer 3 interfaces and the firewall interface are routable, means there should be no connectivity issues.</P><P></P><P>I personally think you should re-think your design.</P></BODY></HTML> Wed, 18 Feb 2009 15:46:43 GMT https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242185#M876205 andrew.prince 2009-02-18T15:46:43Z https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242186#M876208 <HTML><HEAD></HEAD><BODY><P>The machines are on different vlans, 1 and 30.</P><P>one has 192.168.167.80</P><P>the other 192.168.165.64</P><P></P></BODY></HTML> Wed, 18 Feb 2009 15:52:11 GMT https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242186#M876208 SpeedLottery 2009-02-18T15:52:11Z https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242187#M876214 <HTML><HEAD></HEAD><BODY><P>Ahh yes - OK here is the quick and dirty fix:-</P><P></P><P>In the ASA remove the route:-</P><P>route internal-interface 192.168.167.0 255.255.255.0 192.168.165.61</P><P>replace with:-</P><P>route internal-interface 192.168.167.0 255.255.255.0 192.168.165.10</P><P></P><P>In NS1 add:-</P><P>ip route 192.168.167.0 255.255.255.0 192.168.165.61</P><P></P><P>In NS2 add:-</P><P>ip route 192.168.167.0 255.255.255.0 192.168.165.61</P><P></P><P>But I strongly suggest you change your topology as right now - you have 3 routers, with no logical routing process between them and poor design.</P><P></P><P></P><P></P><P></P></BODY></HTML> Wed, 18 Feb 2009 19:14:06 GMT https://community.cisco.com/t5/network-security/tcp-denied/m-p/1242187#M876214 andrew.prince 2009-02-18T19:14:06Z