Re: The packet tracer result that

Joan Perez Esteban · ‎05-13-2013

Hi people, here again ,

I am having a problem with the traffic from the inside network to outside network, traffic is being dropped I don't know why or how to fix it. My set up is a s follow:

in the outside network there is a router directly connected to the ASA (through the outside network 10.15.1.x), this router creates a different network that is 172.16.35.x.

I'd need to access from the internal network to the network 172.16.35.x. I can't, packets are dropped with the message:

%ASA-2-106001: Inbound TCP connection denied from IP_address/port to 
IP_address/port flags tcp_flags on interface interface_name


I created an access rule to permit ip traffic from inside to network 172.16.35.x, which is connected to the outside interface through the router
Still not working....

Thanks in advance,

Juan

blau grana · ‎05-13-2013

Hello Juan,

Try packet-tracer feature to find out where is problem.

https://supportforums.cisco.com/docs/DOC-5796

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

http://www.techrepublic.com/blog/networking/cisco-asa-packet-trace-your-firewall-debug-friend/1482

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Jouni Forss · ‎05-13-2013

Hi,

Would need to see the configurations.

Based on the error message it would seem to me that this is not a problem with an ACL or NAT.

- Jouni

Joan Perez Esteban · ‎05-13-2013

Hi Blau grana and Jouni,

your right, too many time configuring and unconfiguring the box, I miss to add the route in the ASA, is working fine now.

Thanks for your time,

Juan

Claus Juhl Pedersen · ‎09-09-2016

I had similar issue, and I fixed it by looking at my security levels.

Ly Cao · ‎05-03-2017

Hi there,

i have the same issue as Juan described. I can access to any websites except anything relate to google (gmail,google search, YouTube).

Deny inbound UDP from internal IP/port to 172.217.9.142/443 flags SYN on interface Inside

any ideas what could cause it?

thanks

Lee

cofee · ‎05-03-2017

Can you run packet tracer for one of the addresses you are having issues accessing ? It should tell where the packet is getting dropped and why.

Ly Cao · ‎05-03-2017

Cofee,

thanks for the quick response. everything worked fine until today. There's nothing changed in the firewall as well as the internal routing. Strange!. please find attached for trace packet:

Lee

cofee · ‎05-03-2017

The packet tracer result that you sent me is dropping the packet due to an ACL configured.

JRDIAZ758 · ‎02-12-2018

im having the same issue as well , trying to go from XXXdmz host to YYYYDMZ a web server https

2

10:18:00

106001

10.60.65.1

25812

10.11.167.110

443

Inbound TCP connection denied from 10.60.65.1/25812 to 10.11.167.110/443 flags SYN on interface XXXdmz

XXXdmz is sec level 30 as well as the YYYYdmz that in trying to go to. routes are dynamically learned

packet-tracer input ccidmz tcp 10.60.65.1 25812 10.11.167.110 443

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: RECURSIVE-ROUTE-LOOKUP

Subtype: Recursive Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

in 10.11.167.0 255.255.255.0 via 172.16.160.1, YYYYDMZ (resolved, timestamp: 528790)

Phase: 4

Type: RECURSIVE-ROUTE-LOOKUP

Subtype: Recursive Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

in 172.16.160.0 255.255.255.248 YYYYDMZ

Phase: 5

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 172.16.160.1 using egress ifc YYYYDMZ

Phase: 6

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: XXXdmz

input-status: up

input-line-status: up

output-interface: YYYYDMZ

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Maciej Wlazlinski · ‎03-10-2023

I was experiencing the same issue and was screeching my head for hours (or more like two days). Adding and deleting rules messing up with policies, all for nothing. But finally I have figure it out. The solution was trivial.

As it happens ASA by default will reject anything between the interface if the SECURITY LEVEL is THE SAME - sick!!!

As soon as you will set it up to different values traffic is passed. And you can have 5 on Inside and 45 on DMZ or the vice versa, it does not matter as long as they are different.

So, it is worth to check, and hopefully someone will benefit from this tip.

Cheers!

christopherhancock · ‎11-25-2024

That was it. Thanks for posting!

inbound TCP connection denied flags SYN on interface inside