We are implementing an ASA 5510 firewall with DMZ. Our UDP packets are able to get outside the firewall, but our TCP packets are being denied because of no connection. I've attached the config file and log file. Any assistance is appreciated.
I had a look at your config, and I have a strong feeling, you’re not giving a complete picture of your situation. Anyhow, you have asymmetric routing happening in your LAN. Asymmetric routing means the request of the packets and the replies of the same packets take different routing directions (not through the firewall).
Lets take this message for example;
6|Aug 15 2012|18:50:37|106015|172.16.11.75|2758|220.127.116.11|443|Deny TCP (no connection) from 172.16.11.75/2758 to 18.104.22.168/443 flags RST on interface INSIDE
The Firewall reset this connection because it saw 172.16.11.75 wanting to reply to 22.214.171.124. The reason for this is because the Firewall never saw a request from 172.16.11.75 to 126.96.36.199, in the first place. There should always be a request and then a reply, as in SYN, SYN-ACK and ACK.
Basically, the Firewall discarded this TCP packet because it has no associated connection in the connection table (show conn). The Firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is no existing connection, the Firewall discards the packet.
You could furnish a complete diagram here and a COMPLETE FIREWALL CONFIG HERE, so that the others could assist you, as well.
The error 106015 will comes in to picture when your first packet of your traffic is not a SYN packet. So fi rewall denies that stating there is no connection to establish. So there is a problem in the traffic which the host is generating. So ASA looks for a SYN packet when it requires to build a connection.
So the traffic sent by the specific hosts in your network is not proper which doesn't carry a SYN packet such as
Aug 15 2012|18:50:36|106015|172.16.10.137|1568|188.8.131.52|80|Deny TCP (no connection) from 172.16.10.137/1568 to 184.108.40.206/80 flags RST on interface INSIDE
But the same time there are other successful TCP connections established successfully in you network.
Aug 15 2012|18:50:36|302013|220.127.116.11|443|172.16.10.152|3977|Built outbound TCP connection 139054 for OUTSIDE:18.104.22.168/443 (22.214.171.124/443) to INSIDE:172.16.10.152/3977 (172.16.10.152/3977)
So all you need is to check the hosts which is generating such traffic and sort out this problem.
Please do rate if the given information helps.
I have the same problem with Lync 2013, I permit Lync TCP and UDP ports and when I try to make any Desktop sharing the TCP packets is denied because of no connection. please help guys.
Lync is in differnet Vlan from the users Vlan.
any advices will be appreciated.