Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
5
Helpful
4
Replies

ASA connectivity problem

serhadaliturhan
Level 1
Level 1

‎11-30-2012 04:45 AM - edited ‎03-07-2019 10:20 AM

hi

I've configured an ASA 5510 FW with asa901-k8 ios. on it's "inside" port there is 10.90.0.0 network. there is another network (10.190.0.0) in my system that can be reached via another router which has 10.90.0.253 ip address. when a client in the 10.90 network wants to reach the 10.190 network the fw redirects the request to the router (10.90.0.253) because the fw is my gateway. there is no problem so far... but... while i can ping and traceroute a 10.190... user from 10.90... network, i can't use any non-icmp appliactions. for example i can't use rdp programs, http web interfaces of some devices on remote network (10.190.0.0). what can cause that? is there any rule in asa that blocks these protocols?

thanks...

Labels:
0 Helpful
4 Replies 4

elepon06
Level 1
Level 1

‎12-01-2012 03:44 PM

Try to RDP with the IP address and not by DNS and do the same with the web. If you are doing it by DNS then its a domain issue.

0 Helpful

Abzal
Level 7
Level 7

‎12-01-2012 07:33 PM

Hi,
Is there is any ACL on router interfaces that may be blocking? Does on local network everything work? Post here config of your router. We can help much better.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal
0 Helpful

thomas.g.fan
Level 1
Level 1

‎12-02-2012 06:13 PM

From my understanding, when a client in the 10.90 network wants to reach the 10.190 network, traffic flow will be:

10.90 client (possibly TCP SYN) -> firewall -> router -> 10.190 client.

but 10.190 client will return traffic in this direction:

10.190 client (possibly TCP SYN ACK)-> router -> 10.90 client.

at this point, firewall see asymmetrical TCP connection which firewall try to protects the network by denying further raffic (denying TCP ACK).

here is a link to help you understand ASA asymmetric routing proction:

https://supportforums.cisco.com/docs/DOC-14491

to temporarily workaround this until the asymmetry can be fixed, enable TCP State Bypass:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html

Peter Koltl
Level 7
Level 7
In response to thomas.g.fan

‎12-02-2012 10:41 PM

Please remember this is bad design. A user VLAN should have only one  gateway. You could place the router in another firewall zone.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card