09-23-2014 12:04 PM - edited 03-11-2019 09:49 PM
Hey guys
I'm experiencing some kind of weird behavior of my ASA 5520 (8.3.1)
I have a customer that needs to access an inside webserver of mine.
I've created a rule in the proper ACL permitting another range of their address to access the web server.
I can see the syn packet being permitted, acl's counter increases, and... the Syn/Ack being denied by the firewall!!!
Look the log...
6|Sep 17 2014|16:29:29|302013|172.40.36.20|3154|10.171.3.139|80|Built outbound TCP connection 1075586687 for vlan5:10.171.3.139/80 (10.171.3.139/80) to vlan155:172.40.36.20/3154 (172.40.36.20/3154)
2|Sep 17 2014|16:29:29|106001|10.171.3.139|80|172.40.36.20|3154|Inbound TCP connection denied from 10.171.3.139/80 to 172.40.36.20/3154 flags SYN ACK on interface vlan155
2|Sep 17 2014|16:29:32|106001|10.171.3.139|80|172.40.36.20|3154|Inbound TCP connection denied from 10.171.3.139/80 to 172.40.36.20/3154 flags SYN ACK on interface vlan155
2|Sep 17 2014|16:29:38|106001|10.171.3.139|80|172.40.36.20|3154|Inbound TCP connection denied from 10.171.3.139/80 to 172.40.36.20/3154 flags SYN ACK on interface vlan155
Also, we don't use NAT for those IP's
Anyone?
09-23-2014 01:56 PM
Hi,
Can you post the ACL as well ?
Or, may be your ASA is smelling some SYN Flood Attacks from your client and the TCP Intercept is in the business to prevent the 3-Way from completing.
Cheers
09-23-2014 01:56 PM
Hi
Thanks for helpping!
access-list vlan155_access_in line 4 extended permit tcp 172.40.36.0 255.255.252.0 host 10.171.3.139 eq www (hitcnt=15)
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide