cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
360
Views
5
Helpful
4
Replies
Highlighted

ASA connectivity problem

hi

I've configured an ASA 5510 FW with asa901-k8 ios. on it's "inside" port there is 10.90.0.0 network. there is another network (10.190.0.0) in my system that can be reached via another router which has 10.90.0.253 ip address. when a client in the 10.90 network wants to reach the 10.190 network the fw redirects the request to the router (10.90.0.253) because the fw is my gateway. there is no problem so far... but... while i can ping and traceroute a 10.190... user from 10.90... network, i can't use any non-icmp appliactions. for example i can't use rdp programs, http web interfaces of some devices on remote network (10.190.0.0). what can cause that? is there any rule in asa that blocks these protocols?

thanks...

4 REPLIES 4
Highlighted
Beginner

Try to RDP with the IP address and not by DNS and do the same with the web. If you are doing it by DNS then its a domain issue.

Highlighted
Rising star

Hi,
Is there is any ACL on router interfaces that may be blocking? Does on local network everything work? Post here config of your router. We can help much better.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal
Highlighted
Beginner

From my understanding, when a client in the 10.90 network wants to reach the 10.190 network, traffic flow will be:

10.90 client (possibly TCP SYN) -> firewall -> router -> 10.190 client.

but 10.190 client will return traffic in this direction:

10.190 client (possibly TCP SYN ACK)-> router -> 10.90 client.

at this point, firewall see asymmetrical TCP connection which firewall try to protects the network by denying further raffic (denying TCP ACK).

here is a link to help you understand ASA asymmetric routing proction:

https://supportforums.cisco.com/docs/DOC-14491

to temporarily workaround this until the asymmetry can be fixed, enable TCP State Bypass:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html

Highlighted

Please remember this is bad design. A user VLAN should have only one  gateway. You could place the router in another firewall zone.

Content for Community-Ad