cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

720
Views
0
Helpful
3
Replies
Highlighted
Beginner

ASA 5550 discard issues

I was getting tcp discards to ouside interface.  I think I fixed that by using the "static (inside, outiside) tcp interface "

as suggested by others.

Then I eventually get a tcp source denied to the outside interface from the upstream router. SO I modify the access-list  to allow the router to the outside interface [ /30 between the hosts]. Then I get a "Deny IP due to land attack"  - I know why .

Anyone have a work around or suggestions ? This is all to get BGP peering across the ASA (v 8.0(4))

Thanks,

Pete

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

Can you try this:

ip verify reverse-path interface outside

Let me knoe how it goes,

Here the command ref for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1878364

Hope that helps,

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC

View solution in original post

3 REPLIES 3
Highlighted
Advocate

Can you try this:

ip verify reverse-path interface outside

Let me knoe how it goes,

Here the command ref for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1878364

Hope that helps,

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC

View solution in original post

Highlighted

Ok.  Thanks. I'll let you know tomorrow.  Do you know if this is a code thing ?

Here is an example from cisco for peering between two routers. Seems easy enough, except I use /30 on either side of the ASA.

access-list acl-1 permit tcp host 172.16.13.4 host 172.16.11.1 eq bgp
 access-group acl-1 in interface outside
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.16.11.1 172.16.11.1 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 172.16.12.2 1
route inside 192.168.10.0 255.255.255.0 172.16.11.1 1

BUT now to get rid of the tcp discards for bgp I have to do this:

static (inside,outside) tcp interface bgp 172.16.11.1 bgp netmask 255.255.255.255
nat (inside) 0 0.0.0.0 0.0.0.0 0 0

Highlighted

That did it. Thanks!

Content for Community-Ad