01-03-2012 03:33 PM - edited 03-11-2019 03:09 PM
OK, strange problem starting appearing recently. I can't for the life of me remember what I could have possibly changed to cause this problem. Below is architecture.
Internet---Cisco 2600 (Dynamic IP)--PIX 515E----Interface VLAN2 (192.168.2.1)----Wireless Router (local lan 192.168.3.0)
I am using my laptop and trying to access a device on the VLAN2 network and can't. I can ping all day long, but nothing beyond that. The only thing appearing in my logs is the below
Deny TCP (no connection) from 192.168.2.5/2000 to 192.168.3.100/35670 flags SYN ACK on interface vlan2
I've looked in the interface configs and made sure that "traffic between two more interfaces with same security levels" is configured and looked everywhere else. This problem just started and really doesn't make any sense. Anyone know where I can doublecheck? Thanks for any help.
Robert
01-03-2012 03:48 PM
Hello Robert,
The connection is being closed because the ASA is receiving a Syn ACK packet that he was not expecting to receive ( No Syn packet, No connection).
You need to configure U-turning or a TCP bypass rule.
What version are you running??
Do rate helpful posts!!!!
Regards,
Julio
01-03-2012 04:38 PM
Version 8.0(4). I’ve never configured either one of those. Any pointers?
Robert
01-03-2012 04:51 PM
Can I have a diagram of your network with the internal ip address of both devices ( the ones are trying to communicate on the same interface and each default gateway)
Regards,
01-03-2012 06:26 PM
Not a problem. Attached is a diagram I threw together. Basically, laptop on wireless is 192.168.3.100 is trying to access anything on VLAN2. I can't ping or do anything, but can out to the internet and anything else on the network no problem, to include the 192.168.1.0 network. It's almost like 192.168.2.0 and 3.0 aren't allowed to talk to each other. In the diagram, the server represents a Cisco Call Manager, 192.168.2.5.
01-03-2012 07:18 PM
Hello Robert,
So problem is with the communication from 192.168.2.0 and 3.0!!
Here is the thing!!
When a packet from the wireless local network host tries to go to 192.168.2.x the packet will go to the wireless router and then as he is on the same network he will send it to the host(Syn)
The host will send the (Syn Ack) to thedefautl gateway = ASA, the ASA will say wait a minute a SYN ACK but where is the SYN, and Drop the packet the session does not get established.
So in order to allow this communication to be biderectional lets do a tcp state bypass:
access-list test permit tcp 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
class-map tcp_bypass
match access-list test
policy-map global_policy
class tcp_bypass
set connection advanced-option tcp-state-bypass
Do rate helpful posts
Julio
01-04-2012 06:13 AM
Julio,
I’m almost there. I figured out I had to manually create the TCP Map “tcp-state-bypass”. However, even with no options selected (I am doing this in ASDM), traffic still won’t go through. I’ve messed with several settings in the tcp map, but no luck.
Robert
01-04-2012 07:05 AM
Hello Robert,
Is there a way you could do it via CLI, you just will need to copy paste the information I have provided you....
Regards,
Julio
01-04-2012 07:14 AM
That’s what I tried first. I got stuck at the tcp-state-bypass command. It said no TCP map exists. I did some digging on Cisco. I should have that option in ASDM under a new TCP MAP as well under the Advanced section. For whatever reason, it doesn’t exist. Just to make sure we are on the same page, I am using a PIX 515E running IOS 8.0(4) with ASDM 6.1.5. According to all of the documentation, the bypass command should work, but it isn’t. Any ideas?
Robert
01-04-2012 09:06 AM
Hello Robert,
I know what you mean! but the pix should take the command, on the TCP map options we do not configure the TCP state bypass.
Please confirm if you are doing it like this
policy-map global_policy
class test
set connection advanced-options tcp-state-bypass
Regards,
Julio
01-04-2012 11:42 AM
Julio,
Even used the tab button to make sure I am putting the commands in correctly. But, as soon as I press enter on that statement I get “ERROR: Can’t find map tcp-state-bypass”
Robert
01-04-2012 09:51 PM
Hello Robert,
After doing a little of research I got the answer of why this is not possible, TCP state-bypass is a feature available until 8.2....
Let me do a little bit of research on this.
Julio
01-05-2012 04:22 AM
OK, that would make sense why all of the documentation online references an ASA, not a PIX. Let me know what you find. Thanks Julio!
Robert
01-05-2012 07:45 AM
Hi Robert,
Just to add some background to the thread, this document explains why this problem occurs and suggests a few mitigation techniques that you might find useful:
https://supportforums.cisco.com/docs/DOC-14491
-Mike
01-05-2012 11:35 AM
Hey Mike. Thanks for the link. Unfortunately, if I am reading the document right, it only applies to NAT statements. I have a router in front of this firewall so I'm not using NAT at the firewall level. I tried to apply the command to the only two NAT statements I have (listed below) and it won't let me because of the 0 in the statement.
nat (inside) 0 access-list inside_nat0_outbound
nat (VLAN2) 0 access-list VLAN2_nat0_outbound
If I understand these statements correctly, it simply means DO NOT NAT traffic going out from these interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide