Hi all, I need some help
I have 2 cisco routers that resired on the same interface on Cisco ASA. For security reasons, on both of the routers I have configured default gateway to be ASA interface, then static route between them on the ASA, I get the following error when on station comming from first router trying to connect to another station behind secound router (again, on the same interface, maybe this is the issue?).
ASA-3-106001: Inbound TCP connection denied from flags SYN
There is access list allowing traffic between but hit count is 0
Please help, it's kinda urgent
Can you share a brief topology and your configuration from the ASA?
Here's teh maening of the log:
Yes, I allready readed that, but it is not clear for me. Well, like I sad, 2 cisco routers on the same ASA interface, both routeres defalut gateway is ASA interface (the same). I have statis route to both of them on the ASA to know were it resides. What part of the ASA configuration do you need?
Can the problem be that the incoming packet that ASA recieves need to be send on the same interface that was recieved maybe? This kind of log I have never seen before...
Thanx in advance
You might just need to configure u-turning on the ASA, since both the routers are on the same interface, can you try the following:
nat (inside) 10 0.0.0.0 0.0.0.0
global (inside) 10 interface
same-security-traffic permit intra-interface
sysopt noproxyarp inside
If it still does not work, I would need the running-config from the ASA. The above configuration is keeping in mind that both teh routers are behiond the inside interafce, if it is some other interface, kindly change the interafce name in teh nat & sysopt command.
The ASA is not the right device for hairpinning as you need to make sure that the ASA sees both ways of the connection.
There are two better ways to solve that problem:
1) Route directly from router1 to router2 and back for the traffic that needs to go to the other router. The ASA is not touched at all. If you want to firewall that traffic you could go for staefull inspection on the router.
2) The traffic has to go through the firewall. Then both routers should reside on different firewall-interfaces. You could implement that with VLANs and subinterfaces on the ASA so that there is no recabling needed.
There is a third way to achieve that, but I wouldn't recommend that:
3) Disable statefull inspection for that traffic on the ASA with the help of MPF.