12-11-2007 08:25 AM - edited 03-11-2019 04:42 AM
I have an ASA 5500 and it has a gateway of my Lan.
The asa rotates the packets destined to 2 remote nets toward a router cisco,through a chart of static routes.
The problem is that it only passes the ping toward the remote lan, while all the other protocols and sessions are blocked !!!!
Only ICMP packet are forwarding.
I have capture this message into the ASA log:
" 106015 192.168.10.14 192.168.13.13Deny TCP (no connection) from 192.168.10.14/21438 to 192.168.13.13/1720 flags RST on interface LAN.
Best Regards
12-11-2007 10:14 AM
Can you post a diagram with IPs?
12-12-2007 12:47 AM
12-12-2007 12:59 AM
Michael
IP adresses in diagram and in you post do not match. Can you correct please?
Also please run
sh run access-group
access-group xxxx in interface inside
If you see a line like above, (xxxx is your acl name) please send the output of
sh run access-list xxxx
12-12-2007 12:49 AM
If this was a routing issue, you would have the following log in syslog
No route to host 192.168.13.13
This looks like an ACL issue. Is 192.168.10.14 in your inside network (inside interface)? And where is 192.168.13.13 located? DMZ interface?
12-12-2007 01:37 AM
sorry
but this is the correct message:
106015 172.31.0.14 172.29.0.14 Deny TCP (no connection) from 172.31.0.14/21438 to 172.29.0.14/1720 flags RST on interface LAN.
My first message was correlate to another ASA Log message, where I've the same problem.
12-12-2007 01:47 AM
Thanks
So can you please post the output of following commands
sh run access-group
access-list xxxx in interface LAN
(xxxx is the name of your ACL)
sh run access-list xxxx
12-12-2007 02:17 AM
Sent the attachment.
12-12-2007 02:30 AM
Thanks. Please post the output of following also
packet-tracer input tcp LAN 172.31.0.14 21438 172.29.0.14 1720 detailed
12-12-2007 02:52 AM
12-12-2007 03:15 AM
According to packet trace, ASA allows the flow, nothing wrong with ASA. And as I see RST statement in syslog, I suspect the remote client. Maybe restarting the client may work, do you encounter the same issue when you try to reach another client again in that subnet too?
12-12-2007 03:25 AM
I've got the same issue to reach all clients of all remote networks, include the Lan ip address routers.
The ASA version is 8.0.(2).
If I do a traceroute from ASDM Tools from the Lan to the 172.29.0.0 or 172.30.0.0, it function only if I flag "use ICMP" button
Also I've the same problem into another client with the same ASA (version 8.0.(3)).
12-12-2007 05:06 AM
what happens when you temporarily add
access-list LAN_access_in permit ip any any
12-12-2007 05:55 AM
The same thing.
12-14-2007 03:26 AM
Michel can you please post the following commands output also ?
traceroute 172.29.0.14 use-icmp
and
traceroute 172.29.0.14
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide