04-23-2012 09:35 AM - edited 03-11-2019 03:57 PM
I was getting tcp discards to ouside interface. I think I fixed that by using the "static (inside, outiside) tcp interface "
as suggested by others.
Then I eventually get a tcp source denied to the outside interface from the upstream router. SO I modify the access-list to allow the router to the outside interface [ /30 between the hosts]. Then I get a "Deny IP due to land attack" - I know why .
Anyone have a work around or suggestions ? This is all to get BGP peering across the ASA (v 8.0(4))
Thanks,
Pete
Solved! Go to Solution.
04-23-2012 02:10 PM
Can you try this:
ip verify reverse-path interface outside
Let me knoe how it goes,
Here the command ref for it:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1878364
Hope that helps,
Thanks,
Varun
04-23-2012 02:10 PM
Can you try this:
ip verify reverse-path interface outside
Let me knoe how it goes,
Here the command ref for it:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1878364
Hope that helps,
Thanks,
Varun
04-23-2012 07:51 PM
Ok. Thanks. I'll let you know tomorrow. Do you know if this is a code thing ?
Here is an example from cisco for peering between two routers. Seems easy enough, except I use /30 on either side of the ASA.
access-list acl-1 permit tcp host 172.16.13.4 host 172.16.11.1 eq bgp access-group acl-1 in interface outside nat (inside) 0 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 172.16.11.1 172.16.11.1 netmask 255.255.255.255 route outside 0.0.0.0 0.0.0.0 172.16.12.2 1 route inside 192.168.10.0 255.255.255.0 172.16.11.1 1
BUT now to get rid of the tcp discards for bgp I have to do this:
static (inside,outside) tcp interface bgp 172.16.11.1 bgp netmask 255.255.255.255nat (inside) 0 0.0.0.0 0.0.0.0 0 0
04-24-2012 08:19 PM
That did it. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide