Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6026
Views
0
Helpful
6
Replies

ASA Teardown TCP Connection for outside to DMZ

maamon.albattah
Level 1
Level 1

‎04-12-2019 08:07 AM

I have the problem that i can not connect with my web server in DMZ network

6Apr 12 201916:58:4930201462.245.164.71443172.16.0.257288Teardown TCP connection 1427 for outside:62.245.164.71/443 to DMZ:172.16.0.2/57288 duration 0:00:05 bytes 56148 TCP FINs
Labels:
0 Helpful
6 Replies 6

joseph.h.nguyen
Level 1
Level 1

‎04-12-2019 04:52 PM

Try to use packet-tracer to help diagnose your traffic flow.  To learn how, see https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p1.html.  You can use this technique either on the CLI or ASDM GUI.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to joseph.h.nguyen

‎04-13-2019 08:02 AM

While packet tracer is a very helpful tool I am not sure that it will be helpful for this issue. According to the original post the reason that the connection is torn down is

Teardown TCP connection 1427 for outside:62.245.164.71/443 to DMZ:172.16.0.2/57288 duration 0:00:05 bytes 56148 TCP FINs

 

We do not know enough about the environment here to know what came before this message, what kind of connection attempt it was, and what other responses might have been received. But at this point the remote device appears to be sending a TCP FIN which is their way to terminate this connection. You probably need more information about the remote device to understand why it chooses to terminate the connection.

 

HTH

 

Rick

HTH

Rick
0 Helpful

maamon.albattah
Level 1
Level 1
In response to Richard Burts

‎04-15-2019 03:06 AM

hier are the configurations:

 

Result of the command: "show run access-list"

access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list DMZ_access_in_1 extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outdmz extended permit tcp any object Web eq https

 

Result of the command: "show run nat"

nat (inside,outside) source static any any destination static vpn-object vpn-object no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.19.0_25 NETWORK_OBJ_10.0.19.0_25 no-proxy-arp route-lookup
nat (inside,DMZ) source dynamic any interface
nat (DMZ,inside) source dynamic any interface
!
object network obj-inside
nat (any,outside) dynamic interface
object network obj-anyconn
nat (any,outside) dynamic interface
object network Web
nat (DMZ,outside) static interface net-to-net service tcp https https
object network dmz-net
nat (DMZ,outside) dynamic interface

 

the web server hat IP address: 172.16.0.2 and it is accessable from internet but when the App client try to connect , occur theses Fehler and the client can not register.

Thanks alot

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to maamon.albattah

‎04-15-2019 11:19 AM

If the web server is 172.16.0.2 then what is the other address found in the log message 62.245.164.71 

 

HTH

 

Rick

HTH

Rick
0 Helpful

maamon.albattah
Level 1
Level 1
In response to Richard Burts

‎04-16-2019 12:29 AM

it is a client try to connect to Web server

0 Helpful

maamon.albattah
Level 1
Level 1
In response to joseph.h.nguyen

‎04-15-2019 03:08 AM

Packet Tracer is working without Problems!

Thanks alot!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card