05-13-2013 05:50 AM - edited 03-11-2019 06:42 PM
Hi people, here again ,
I am having a problem with the traffic from the inside network to outside network, traffic is being dropped I don't know why or how to fix it. My set up is a s follow:
in the outside network there is a router directly connected to the ASA (through the outside network 10.15.1.x), this router creates a different network that is 172.16.35.x.
I'd need to access from the internal network to the network 172.16.35.x. I can't, packets are dropped with the message:
%ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name
I created an access rule to permit ip traffic from inside to network 172.16.35.x, which is connected to the outside interface through the router
Still not working....
Thanks in advance,
Juan
05-13-2013 05:56 AM
Hello Juan,
Try packet-tracer feature to find out where is problem.
https://supportforums.cisco.com/docs/DOC-5796
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
http://www.techrepublic.com/blog/networking/cisco-asa-packet-trace-your-firewall-debug-friend/1482
Best Regards
Please rate all helpful posts and close solved questions
05-13-2013 06:00 AM
Hi,
Would need to see the configurations.
Based on the error message it would seem to me that this is not a problem with an ACL or NAT.
- Jouni
05-13-2013 06:03 AM
Hi Blau grana and Jouni,
your right, too many time configuring and unconfiguring the box, I miss to add the route in the ASA, is working fine now.
Thanks for your time,
Juan
09-09-2016 06:58 AM
I had similar issue, and I fixed it by looking at my security levels.
05-03-2017 05:32 PM
Hi there,
i have the same issue as Juan described. I can access to any websites except anything relate to google (gmail,google search, YouTube).
Deny inbound UDP from internal IP/port to 172.217.9.142/443 flags SYN on interface Inside
any ideas what could cause it?
thanks
Lee
05-03-2017 05:36 PM
Can you run packet tracer for one of the addresses you are having issues accessing ? It should tell where the packet is getting dropped and why.
05-03-2017 05:57 PM
05-03-2017 06:02 PM
The packet tracer result that you sent me is dropping the packet due to an ACL configured.
02-12-2018 08:04 AM
im having the same issue as well , trying to go from XXXdmz host to YYYYDMZ a web server https
2 | 10:18:00 | 106001 | 10.60.65.1 | 25812 | 10.11.167.110 | 443 | Inbound TCP connection denied from 10.60.65.1/25812 to 10.11.167.110/443 flags SYN on interface XXXdmz |
XXXdmz is sec level 30 as well as the YYYYdmz that in trying to go to. routes are dynamically learned
packet-tracer input ccidmz tcp 10.60.65.1 25812 10.11.167.110 443
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: RECURSIVE-ROUTE-LOOKUP
Subtype: Recursive Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.11.167.0 255.255.255.0 via 172.16.160.1, YYYYDMZ (resolved, timestamp: 528790)
Phase: 4
Type: RECURSIVE-ROUTE-LOOKUP
Subtype: Recursive Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 172.16.160.0 255.255.255.248 YYYYDMZ
Phase: 5
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.160.1 using egress ifc YYYYDMZ
Phase: 6
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: XXXdmz
input-status: up
input-line-status: up
output-interface: YYYYDMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
03-10-2023 12:08 AM
I was experiencing the same issue and was screeching my head for hours (or more like two days). Adding and deleting rules messing up with policies, all for nothing. But finally I have figure it out. The solution was trivial.
As it happens ASA by default will reject anything between the interface if the SECURITY LEVEL is THE SAME - sick!!!
As soon as you will set it up to different values traffic is passed. And you can have 5 on Inside and 45 on DMZ or the vice versa, it does not matter as long as they are different.
So, it is worth to check, and hopefully someone will benefit from this tip.
Cheers!
11-25-2024 01:42 AM
That was it. Thanks for posting!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide