06-25-2012 02:05 AM - edited 03-11-2019 04:22 PM
Hi all, I need some help
I have 2 cisco routers that resired on the same interface on Cisco ASA. For security reasons, on both of the routers I have configured default gateway to be ASA interface, then static route between them on the ASA, I get the following error when on station comming from first router trying to connect to another station behind secound router (again, on the same interface, maybe this is the issue?).
ASA-3-106001: Inbound TCP connection denied from flags SYN
There is access list allowing traffic between but hit count is 0
Please help, it's kinda urgent
Regards
06-25-2012 02:10 AM
Can you share a brief topology and your configuration from the ASA?
Here's teh maening of the log:
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4768860
Thanks,
Varun Rao
Security Team,
Cisco TAC
06-25-2012 02:14 AM
Yes, I allready readed that, but it is not clear for me. Well, like I sad, 2 cisco routers on the same ASA interface, both routeres defalut gateway is ASA interface (the same). I have statis route to both of them on the ASA to know were it resides. What part of the ASA configuration do you need?
Can the problem be that the incoming packet that ASA recieves need to be send on the same interface that was recieved maybe? This kind of log I have never seen before...
Thanx in advance
06-25-2012 02:37 AM
You might just need to configure u-turning on the ASA, since both the routers are on the same interface, can you try the following:
nat (inside) 10 0.0.0.0 0.0.0.0
global (inside) 10 interface
same-security-traffic permit intra-interface
sysopt noproxyarp inside
If it still does not work, I would need the running-config from the ASA. The above configuration is keeping in mind that both teh routers are behiond the inside interafce, if it is some other interface, kindly change the interafce name in teh nat & sysopt command.
Thanks,
Varun Rao
Security Team,
Cisco TAC
06-25-2012 02:52 AM
The ASA is not the right device for hairpinning as you need to make sure that the ASA sees both ways of the connection.
There are two better ways to solve that problem:
1) Route directly from router1 to router2 and back for the traffic that needs to go to the other router. The ASA is not touched at all. If you want to firewall that traffic you could go for staefull inspection on the router.
2) The traffic has to go through the firewall. Then both routers should reside on different firewall-interfaces. You could implement that with VLANs and subinterfaces on the ASA so that there is no recabling needed.
There is a third way to achieve that, but I wouldn't recommend that:
3) Disable statefull inspection for that traffic on the ASA with the help of MPF.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide