ASA5510: deny tcp (no connection)... flags SYN ACK

Hello,

is it possible to allow traffic through an ASA5510 which was not initiated through this firewall but through another one?

Background: We change our external IP-Numbers but don't want to change our internal default route (which links to an ASA5510 (the 'old' one). Our new vpn-traffic comes from the 'new' ASA, and the internal client-pc sends it to the 'old' ASA. There is a route which directs this traffic to the new one. But: I get the error

(within vpn telnet internal_host 22) 'old' ASA as default gateway

%ASA-6-106015: Deny TCP (no connection) from 192.168.XXX.XXX/22 to

192.168.10.1/34625 flags SYN ACK on interface inside

I would appreciate any help

Gerhard

Reply to
Gerhard Lehmann
Loading thread data ...

Can you elaborate more on what you are trying to accomplish?

Looks to me like you have two ASAs on your WAN connection.

Like this

(Default Gateay/Route) ASA #1-------outside 1.1.1.1 ------inside

192.168.1.1 (VPN) ASA #2-------outside 1.1.1.2 ------ inside 192.168.1.2

I assume ASA #1 is the default route/default gateway for the hosts behind it to the internet and ASA #2 has VPNs that terminate on it

If you have a VPN with remote subnet 192.168.2.0/24 built to it you can had a static host route on the PCs to use the VPN ASA (Assuming Windows)

-route add -p 192.168.2.0 mask 255.255.255.0 192.168.1.2

or use a router as your default gateway your routing table would look like this

ip route 192.168.2.0 255.255.255.0 192.168.1.2 ip route 0.0.0.0 0.0.0.0 192.168.1.1

Reply to
jcle

Thank you for your answer!

A short ASCII-Structure is like this:

ext.Router---(old IP-RANGE 195.21.XXX.170)---outside---ASA_01

---internal---192.168.1.130(/24)

new ext.Router---(new IP-RANGE 91.215.XXX.4)---outside---ASA_02

---internal---192.168.1.129(/24)

The old IP-Range will be closed in the near future. Default internal Gateway is ASA_01, 192.168.1.130 for all our client-PCs.

VPN works through this ASA_01.

Now I install VPN on the ASA_02 and would like to let the old gateway on the client-pcs unchanged. So I thought:

VPN-Traffic from outside -> ASA_02 -> client-PC and back:

-> ASA_01 (default gateway) ASA_01 -> ASA_02 (static Route for the VPN-address-space)

-> new ext.Router-> Internet-> VPN-endpoint

When I ping or telnet through the new VPN, I can see the incoming traffic on the client-pc, but the return path is blocked by the ASA_01 with the error:

%ASA-6-106015: Deny TCP (no connection) from 192.168.1.162/22 to

192.168.10.1/34625 flags (VPN-address) SYN ACK on interface inside %ASA-7-609002: Teardown local-host inside:192.168.1.162 duration 0:00:00 %ASA-7-609002: Teardown local-host inside:192.168.10.1 duration 0:00:00

I understand that the ASA blocks traffic which is not initiated through it, it seems to be a good behaviour for a firewall, but can I make an exception for this route (ASA_01 -> ASA_02 192.168.10.0/24)?

thanks again for any idea you have!

Gerhard

jcle wrote:

we would like to avoid to set a static route in every client-pc, it seems to be smarter to let the old ASA make the routing.

Reply to
Gerhard Lehmann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.