Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2169
Views
0
Helpful
2
Replies

Inbound TCP connection denied

Go to solution
ohareka70
Level 3
Level 3

‎10-30-2015 06:02 AM - edited ‎03-11-2019 11:48 PM

Hello,

I have a server on the corporate network and it has a rule on the firewall to allow it to talk out to another external IP for a winscp transfer over tpc/222

It was working ok but it stopped this week saying

Inbound TCP connection denied from 10.x.x.x/49578 to 172.x.x.x/222 flags SYN on interface inside

I am not seeing it hit the firewall except to say that its being denied by an Access Rule

Any ideas

Kevin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-30-2015 09:49 AM

Hi Kevin,

- Is there any recent changes made on the ASA?

- when you say you do not see it hitting the firewall; how did you check that? did you take any capture on these ingress and egress interface?

- could you please take the output of packet-tracer on the ASA.

'packet-tracer input <source interface> tcp <source-ip> 123445 <destination-ip> 222 detail' and check where it is dropping.

As you had mentioned it is being denied by ACL, try placing permit acl for this traffic on line 1 on that concerned access-list.

Also you could take captures on ASA. please take the capture with 'cap drop type asp-drop all' and see the output with 'show cap drop | in <source-ip>'

Please share your findings.

Regards,

Akshay Rastogi

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-30-2015 09:49 AM

Hi Kevin,

- Is there any recent changes made on the ASA?

- when you say you do not see it hitting the firewall; how did you check that? did you take any capture on these ingress and egress interface?

- could you please take the output of packet-tracer on the ASA.

'packet-tracer input <source interface> tcp <source-ip> 123445 <destination-ip> 222 detail' and check where it is dropping.

As you had mentioned it is being denied by ACL, try placing permit acl for this traffic on line 1 on that concerned access-list.

Also you could take captures on ASA. please take the capture with 'cap drop type asp-drop all' and see the output with 'show cap drop | in <source-ip>'

Please share your findings.

Regards,

Akshay Rastogi

0 Helpful

Go to solution
ohareka70
Level 3
Level 3
In response to Akshay Rastogi

‎10-30-2015 12:27 PM

Akshay,

i did a packet capture wizard on the cisco asa but it only showed ingress traffic - no egress but it didnt show much anyway other than an attempt 

I done the packet tracer on the cisco asa and it said that the traffic was being denied by the access-list ie it seen the traffic as denied all and ropped it.  I know an acl was applied

So i checked the routing on the LAN.  It turns out this traffic needed to be routed out a different Layer 3 device and routed out the one of the ohter firewalls ( we have 3 on different sites and they are all stand alone).  The firewalls all have the same access list

Bit of a nightmare but routing was the problem and as soon as it routed out the correct firewall then the access list was permitted

Thanks for  your help and looking forward to trying this command on Monday

....please take the capture with 'cap drop type asp-drop all' and see the output with 'show cap drop | in <source-ip>'

regards,

Kevin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card