Where were these captures taken? These host unreachable icmp error indicates that the end host is not either reachable through some router in between the path (could be a firewall) or the host does not have a default gateway configured. In your case, the syn packet goes out fine. We need to identify where these captures were taken and find out if Unreachable was sent out by the host itself or some layer 3 device in between.
Topology is like ASA 1 -> ASA 2 - > Host
Am doing a TCP ping from ASA 1 outside interface to Host , the capture is of inside interface ASA 1
ASA 1 is translatign the IPs are per NAT rule properly. as it should.
The comm is like
ASA sends SYN
Host Sends SYN,ACK
Then the 3rd packet is sent of unreachable to host ...
So issue is on ASA 1 I think...becuase host is responding I have taken capture on ASA 1 & 2 both ...host sends SYN, ACK
but from ASA 1 sends unreachable in place SYN ...
Attached is the caputre of outside interface..
So, you are doing a tcp based ping from ASA1 , is that correct? or the ping is from a host behind the ASA1?
Can you provide the command that you are issuing on the ASA1 or the host to run this ping.
Yes, That is correct.
I am doign TCP based ping from ASA 1 and am doing it from ASDM ->Tools-> Ping
By giving source interface and IP.
Ah, if you are trying to ping outside ip addresses sourced from inside interface of ASA, it will never work. Thats ASA design, you should source the interface of ASA which has the route towards the destination to be pinged.
So, this wont work for across the interface if you want to source from ASA interface or ping to the ASA interface when not connected to the interface.
Outside interface is connected to MPLS network where actual source resides.
So inspite of asking the actual source to try again and again am trying to investigate this issue by creating a TCP connection from ASA itself by taking outside interface as source using the source IP ... which woks fine till SYN,ACK but it sends 3rd packet as unreachable ...
Since ASA does not own that ip address, thats a valid reason why it should be sending the host unreachable error message.
Ideally, in a router scenario, you would have created a loopback interface and tested, but ASA won't be as friendly as you want it to be. I would suggest looking for alternatives.