Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
775
Views
5
Helpful
2
Replies

ASA 5580 mysql port access problem

Go to solution
gasparmenendez
Level 3
Level 3

‎10-23-2017 03:27 PM - edited ‎02-21-2020 06:33 AM

hi friends, my ASA 5580 has an interface called FTTH with 192.168.51.254 ip add. and that interf. is connected to a Switch through vlan51 with 192.168.51.253 ip addr. I already added to ASA the following route:
route FTTH 192.168.60.200 255.255.255.255 192.168.51.253 1
so I can ping from 192.168.60.200 to any PC in vlan51 (i.e: 192.168.51.200) and viceversa, so far so good... but the problem is that I can't access to any other service like FTP, SSH or mysql (mainly this) in vlan 51 from 192.168.60.200...so, do I need to create some rule for this??? can anybody help me please??? Thanks in advance.

 

Here's an update:

when I try to access from 192.168.60.200 to 192.168.51.200 using FTP and chekc the Real-Time Log Viewer in ASDM I get:

6    Oct 24 2017    11:20:13    106015    192.168.51.200    445    192.168.60.200    52667    Deny TCP (no connection) from 192.168.51.200/445 to 192.168.60.200/52667 flags SYN ACK  on interface FTTH
The ASA discarded a TCP packet that has no associated connection in the ASA connection table. The ASA looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is no existing connection, the ASA discards the packet.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎10-24-2017 11:19 AM

Hi @gasparmenendez

 

  Where does 192.168.60.200 comes from ? Another ASA interface?

In terms of routing, direct connected interface should not require routing, ASA should have those interface on the routing table already. 

  ACL may be necessary, depending on the topology.  

Make sure those services are running on the target servers.

 

-If I helped you somehow, please, rate it as useful.-

 

View solution in original post

2 Replies 2

Go to solution
Flavio Miranda
VIP
VIP

‎10-24-2017 11:19 AM

Hi @gasparmenendez

 

  Where does 192.168.60.200 comes from ? Another ASA interface?

In terms of routing, direct connected interface should not require routing, ASA should have those interface on the routing table already. 

  ACL may be necessary, depending on the topology.  

Make sure those services are running on the target servers.

 

-If I helped you somehow, please, rate it as useful.-

 

Go to solution
gasparmenendez
Level 3
Level 3
In response to Flavio Miranda

‎10-24-2017 11:36 AM

hi @Flavio Miranda,

192.168.60.200 comes from another ASA in fact, that's why I had to add the route...but like I said ping is ok, but just ping. I already checked and those services are running on the target servers. Any more ideas????

Thanks!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card