cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
684
Views
0
Helpful
3
Replies

ASA 5525X Deny TCP (no connection)

RMcGlew
Level 1
Level 1

We recently changed network vendors and have copied the ASA rules for the old interface to the new interface. This allowed us to use both networks for a while, but now we're finding that some traffic -- Apple app deployments and iOS updates in particular -- are running into a Deny TCP (no connection). We've read that this is likely a routing problem, but we don't see it. 

We're posting the 2960 Running-Config (with slight redactions). We're thinking that this would be where the routing issue would be. We probably have other issues here, but we're trying to focus on the Deny TCP/Apple app deployment.

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Can you share the ASA configuration as well?

I'm attaching the ASA configuration. I redacted VPN info and such. I use the GUI to edit.

You have two default routes and a variety of NAT statements, some of the latter are deactivated.

Basically, interfaces specified in your active NAT statements need to match up with routing table or else defer to the routing table by using the overriding "route-lookup" argument in the NAT statement.

You can confirm which rules will be used for a given flow using the packet tracer (wizard in the GUI or cli).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: