Unable to Telnet Port 465 to DMZ Server of Internet ASA

ksenetwork · ‎07-14-2015

Topology:

Internet Router-- Internet ASA --Fortigate Firewall-- Core Switch-- Data Center Switch-- Server(172.16.45.6)

DMZ--(172.16.208.230)

Problem:

unable to telnet from Server(172.16.45.6) on port 465 to Internet ASA DMZ--(172.16.208.230)

Command Run On ASA

capture BCD1 type raw-data interface inside [Capturing - 452 bytes]

match tcp any host 172.16.208.230 eq 465

Capture Command Output:

ASA-INT-208-33# show capture BCD1

6 packets captured

1: 13:44:05.032346 172.16.45.6.53018 > 172.16.208.230.465: S 3947346569:3947346569(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>

2: 13:44:05.032560 172.16.208.230.465 > 172.16.45.6.53018: R 534698240:534698240(0) ack 3947346570 win 0

3: 13:44:05.537676 172.16.45.6.53018 > 172.16.208.230.465: S 3947346569:3947346569(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>

4: 13:44:05.537859 172.16.208.230.465 > 172.16.45.6.53018: R 1433972724:1433972724(0) ack 3947346570 win 0

5: 13:44:06.052472 172.16.45.6.53018 > 172.16.208.230.465: S 3947346569:3947346569(0) win 8192 <mss 1460,nop,nop,sackOK>

6: 13:44:06.052685 172.16.208.230.465 > 172.16.45.6.53018: R 1839004086:1839004086(0) ack 3947346570 win 0

Question:

What is the meaning of R flag in Cisco ASA capture when return traffic from 172.16.208.230 to 172.16.45.6

Regards,

Salman Ahmed

Dan Lukes · ‎07-14-2015

'R' stands for 'RST' flag. It mean the destination device rejects attempt to establish TCP connection. It's either because of firewall/acl, or there is no listening process beyond port 465 at all or listening process considered not to accept this particular TCP connection.

ksenetwork · ‎07-15-2015

Dear Duke,

This is the ACL I used in Cisco ASA FW:

access-list DMZ_IN extended permit tcp host 172.16.208.230 host 172.16.45.6 eq 465

Regards,

Salman Ahmed