Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
653
Views
0
Helpful
3
Replies

Error on passing traffic between VPNs on ASA

vladmorozov
Level 1
Level 1

‎07-19-2010 02:58 AM

I've got a strange error - icmp goes OK, and TCP gives error in both ways:

07/19/10 13:19:49 [192.168.12.132] (local4.crit) Jul 19 2010  13:22:27 asa5540 : %ASA-2-106001: Inbound TCP connection denied from 8.77.0.10/4461 to 1.4.0.1/443 flags SYN  on interface dmz

Please, take a look on attached config. I'm fiting with that sinse last Friday and no luck yet...

Labels:
69269-asa5540_act#.txt.zip
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-19-2010 08:49 AM

There doesn't seem to be any NAT configuration in the config attached. Do you configure NAT exemption for traffic between DMZ and the other side of the VPN LAN? ACL also looks OK as you pretty much allow any traffic between the 2 subnets.

0 Helpful

vladmorozov
Level 1
Level 1
In response to Jennifer Halim

‎07-20-2010 06:39 AM

Hi, halijenn!

Thanks for advice, but I don't think it would work:

1. Since I have "same-security-traffic permit inter-interface", NAT rules and exemptions is not in use.

2. ICMP works fine without NAT exempt.

Small update - I've tried to use Cisco ASDM packet tracer and test connection from one IP to another. As it show, there are TCP and UDP drop in ACL after routing and VPN lookup, but I don't have any idea what kind of ACL it can be. And ICMP traces fine.

0 Helpful

vladmorozov
Level 1
Level 1
In response to vladmorozov

‎08-02-2010 11:18 PM

The solution is to check VPN filter ACLs - it was not set and so inherit from VPN filter for default policy and it was strict enough to deny required traffic.

0 Helpful
Top