cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1288
Views
0
Helpful
3
Replies

Deny TCP (no connection)

ccsoofficelan
Level 1
Level 1

Please find my ASA config.

hostname fw

!
interface Ethernet0/0
nameif NC_OUTSIDE
security-level 0
ip address 192.168.36.250 255.255.255.0
!
interface Ethernet0/1
nameif JA_OUTSIDE
security-level 0
ip address 192.168.127.250 255.255.240.0
!
interface Ethernet0/2
nameif NC_INSIDE
security-level 100
ip address 10.20.33.1 255.255.255.0
!
interface Ethernet0/3
nameif JA_INSIDE
security-level 100
ip address 10.20.34.1 255.255.255.0
!
access-list 101 extended permit ip any any
access-list 102 extended permit ip any any
access-group 101 in interface NC_OUTSIDE
access-group 102 in interface JA_OUTSIDE
access-group inside_acl in interface NC_INSIDE
access-group JAB_TCI_INSIDE_access_in in interface JA_INSIDE
route NC_INSIDE 192.168.26.0 255.255.255.240 10.20.33.2 1
route JA_INSIDE 192.168.26.16 255.255.255.240 10.20.34.2 1
==========================================================================================

well i am getting the following error:

6 Jan 20 2011 11:51:54 106015 192.168.26.18 60966 192.168.127.1 2404 Deny TCP (no connection) from 192.168.26.18/60966 to 192.168.127.1/2404 flags RST  on interface JA_INSIDE

192.168.26.18 is connected to the router on 10.20.33.2.

192.168.127.1 is electrical RTU's connected remotely to my outside interface of the firewall. Some IP's of 192.168.127 range connecting with success however some not. For the unseccessful ones the get ther deny tcp error. please help.

----

3 Replies 3

andre.ortega
Spotlight
Spotlight

Made you any NAT configuration? Or disabled NAT-Control?

You can use the ASDM and simulate the traffic in Packet Trace. This will show you were the traffic being blocking.

no i am not using nat.

and secondly the packet trace shows me that the its allowed.. there is no blocking....

--

Hassan,

We cannot say much just with the 106015 Deny tcp no conn message. All that says is that the firewall did not have a conn in the table to allow that packet through (in your case it was a reset packet). Pls. look at the built and teardown messages for the same connection so you can get more information.

-KS

Review Cisco Networking for a $25 gift card