Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
3
Replies

ADSM deny message help?

danparsons
Level 1
Level 1

‎02-11-2009 04:49 AM - edited ‎03-11-2019 07:48 AM

Hi,

I am looking at the logs in the ADSM and I get the following set of lines (at the bottom).

What is supposed to be happening is that software on VISTA_CCTV on the inside is to talk to an internal address at 88.88.88.88.

VISTA_CCTV -- [ASA] >>>INTERNET<<<< [88.88.88.88]-- TECH_CCTV

However we are getting the deny message as shown below. The port supposedly used by the software (according to their tech guys) on the box is port 3000. So this has been allowed through on both sites. We seem to be able to get to the site fine through our pix at the other end, but we get the deny message on this ASA 5505. Can you help?

VISTA_CCTV OUTSIDE_IF Teardown dynamic TCP translation from inside:VISTA_CCTV/2272 to outside:OUTSIDE_IF/1055 duration 0:01:00

88.88.88.88 OUTSIDE_IF Deny TCP (no connection) from 88.88.88.88/3000 to OUTSIDE_IF/1055 flags PSH ACK on interface outside

88.88.88.88 VISTA_CCTV Teardown TCP connection 99 for outside:88.88.88.88/3000 to inside:VISTA_CCTV/2272 duration 0:00:40 bytes 263 TCP Reset-I

88.88.88.88 VISTA_CCTV Built outbound TCP connection 99 for outside:88.88.88.88/3000 (88.88.88.88/3000) to inside:VISTA_CCTV/2272 (OUTSIDE_IF/1055)

VISTA_CCTV OUTSIDE_IF Built dynamic TCP translation from inside:VISTA_CCTV/2272 to outside:OUTSIDE_IF/1055

access-list inside extended permit tcp any host OUTSIDE_IF eq 3000

static (inside,outside) tcp interface 3000 VISTA_CCTV 3000 netmask 255.255.255.255

Labels:
0 Helpful
3 Replies 3

cdusio
Level 4
Level 4

‎02-11-2009 07:59 AM

The debug shows that the internal box send out a connection to 1055. The return traffic has no PAM rule for that so it's getting dropped..

88.88.88.88 is souricng the traffic form port 3000 and returning the traffic on the source port you initiated 1055. That will never work as state will break on the firewall.

You need to control the source and destination ports or change the way you are doing NAT.

0 Helpful

danparsons
Level 1
Level 1
In response to cdusio

‎02-11-2009 08:28 AM

First of all, Thankyou very much for your answer.

Secondly, this was working fine up to about a week ago, so I assume the ports the software is using must have changed as if it was just using port 3000 it should work?

Thanks again.

0 Helpful

cdusio
Level 4
Level 4
In response to danparsons

‎02-11-2009 09:16 AM

I would think so.

If they are trying to hit that NATTED address inbound then your rule and Nat rule should work.

Outbound as long as you're trying to get to the box on 3000 that should be ok too.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card