Re: Inside Network access DMZ Host

gilbertojardim · ‎06-23-2008

Hi;

I Have a ASA 5510 on my network, which 3 networks (inside, outside, dmz).

When a dmz host access a inside Host, works ok, but when a inside host try access the dmz host, the following message is displayed on LOG:

Deny TCP (no connection) from hid-dmz/25 to hid-iwss/44674 flags SYN ACK on interface dmz

The static nat:

static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (inside,dmz) 10.40.4.0 10.40.4.0 netmask 255.255.255.0

where:

172.16.1.0/24: DMZ Network

10.40.4.0/24: Inside Network

acomiskey · ‎06-23-2008

You shouldn't need this...

no static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

gilbertojardim · ‎06-23-2008

even removing this, the problem continues...

all acl's is set to permit traffic...

mohammed_moustafa · ‎06-24-2008

Hi Dear,

I doubt much that the problem is tha nat translation, error message says no connection this means the TCP SYNC and SYNC/ACK reply are going different pathes so firewall will drop that reply. but to make sure the problem is not in the nat translation use this command:

no nat-control

and remove both the static nat commands

If you can post the configuration of your firewall it will be very helpful.

let me know the results.

B.regards.

gilbertojardim · ‎06-24-2008

if i'm remove static nat, the log display "no translation"... With "no nat-control", the problem continues...

Follow the config in attachment...

mohammed_moustafa · ‎06-24-2008

what is the gateway of your users in the inside network? is it: 10.40.4.1

gilbertojardim · ‎06-24-2008

yes, is 10.40.4.1....