Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19926
Views
0
Helpful
4
Replies

ASA-3-106001: Inbound TCP connection denied from flags SYN

nikolag21
Level 1
Level 1

‎06-25-2012 02:05 AM - edited ‎03-11-2019 04:22 PM

Hi all, I need some help

I have 2 cisco routers that resired on the same interface on Cisco ASA. For security reasons, on both of the routers I have configured default gateway to be ASA interface, then static route between them on the ASA, I get the following error when on station comming from first router trying to connect to another station behind secound router (again, on the same interface, maybe this is the issue?).

ASA-3-106001: Inbound TCP connection denied from flags SYN

There is access list allowing traffic between but hit count is 0

Please help, it's kinda urgent

Regards

Labels:
0 Helpful
4 Replies 4

varrao
Level 10
Level 10

‎06-25-2012 02:10 AM

Can you share a brief topology and your configuration from the ASA?

Here's teh maening of the log:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4768860

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

nikolag21
Level 1
Level 1

‎06-25-2012 02:14 AM

Yes, I allready readed that, but it is not clear for me. Well, like I sad, 2 cisco routers on the same ASA interface, both routeres defalut gateway is ASA interface (the same). I have statis route to both of them on the ASA to know were it resides. What part of the ASA configuration do you need?

Can the problem be that the incoming packet that ASA recieves need to be send on the same interface that was recieved maybe? This kind of log I have never seen before...

Thanx in advance

0 Helpful

varrao
Level 10
Level 10
In response to nikolag21

‎06-25-2012 02:37 AM

You might just need to configure u-turning on the ASA, since both the routers are on the same interface, can you try the following:

nat (inside) 10 0.0.0.0 0.0.0.0

global (inside) 10 interface

same-security-traffic permit intra-interface

sysopt noproxyarp inside

If it still does not work, I would need the running-config from the ASA. The above configuration is keeping in mind that both teh routers are behiond the inside interafce, if it is some other interface, kindly change the interafce name in teh nat & sysopt command.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

Karsten Iwen
VIP
VIP

‎06-25-2012 02:52 AM

The ASA is not the right device for hairpinning as you need to make sure that the ASA sees both ways of the connection.

There are two better ways to solve that problem:

1) Route directly from router1 to router2 and back for the traffic that needs to go to the other router. The ASA is not touched at all. If you want to firewall that traffic you could go for staefull inspection on the router.

2) The traffic has to go through the firewall. Then both routers should reside on different firewall-interfaces. You could implement that with VLANs and subinterfaces on the ASA so that there is no recabling needed.

There is a third way to achieve that, but I wouldn't recommend that:

3) Disable statefull inspection for that traffic on the ASA with the help of MPF.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card