TCP Reset - ASA or VPN Problem

Hello Experts,

I have a weird problem and I don't now what could be cause.

I had something like this:

VPN (public)------------(dmz 50) ASA (inside 100)--------------f0/0 Router

FAIL <---------------TCP-----------

I had an ACL permit IP any any in dmz interface.

The connection from a higher security level interface to a lower is suppouse
to pass by default (no nat-control)
The ICMP traffic pass OK from R to VPN.

When I tried a TCP application telnet or http I see something like this in the
ASA

TELNET FROM INSIDE TO DMZ
%ASA-6-302013: Built outbound TCP connection 242 for
dmz1:201.1.10.11/23 (201.1.10.11/23) to inside:201.1.1.1/11003
(201.1.1.1/11003)
%ASA-6-302014: Teardown TCP connection 242 for dmz1:201.1.10.11/23 to
inside:201.1.1.1/11003 duration 0:00:00 bytes 0 TCP Reset-I

HTTP FROM INSIDE TO DMZ
%ASA-6-302013: Built outbound TCP connection 246 for
dmz1:201.1.10.11/8008 (201.1.10.11/8008) to inside:201.1.1.1/11004
(201.1.1.1/11004)
%ASA-6-302014: Teardown TCP connection 246 for dmz1:201.1.10.11/8008
to inside:201.1.1.1/11004 duration 0:00:00 bytes 0 TCP Reset-I

HTTPS FROM INSIDE TO DMZ
%ASA-6-302013: Built outbound TCP connection 250 for
dmz1:201.1.10.11/8009 (201.1.10.11/8009) to inside:201.1.1.1/11005
(201.1.1.1/11005)
%ASA-6-302014: Teardown TCP connection 250 for dmz1:201.1.10.11/8009
to inside:201.1.1.1/11005 duration 0:00:00 bytes 0 TCP Reset-I

****************

When the connection is from a lower security level to a higher. With an ACL to
allow the traffic it works!

VPN (public)------------(dmz 50) ASA (outside 0)--------------f0/0 Router
PASS <-----------TCP-----------

TELNET FROM OUTSIDE TO DMZ
%ASA-7-609001: Built local-host outside:201.1.0.100
%ASA-7-609001: Built local-host dmz1:201.1.10.11
%ASA-6-302013: Built inbound TCP connection 231 for
outside:201.1.0.100/2114 (201.1.0.100/2114) to dmz1:201.1.10.11/23
(201.1.10.11/23)

HTTP FROM OUTSIDE TO DMZ
%ASA-6-302013: Built inbound TCP connection 232 for
outside:201.1.0.100/2179 (201.1.0.100/2179) to dmz1:201.1.10.11/8008
(201.1.10.11/8008)
%ASA-6-302013: Built inbound TCP connection 233 for
outside:201.1.0.100/2180 (201.1.0.100/2180) to dmz1:201.1.10.11/8008
(201.1.10.11/8008)

HTTPS FROM OUTSIDE TO DMZ
 %ASA-6-302013: Built inbound TCP connection 236 for
outside:201.1.0.100/2226 (201.1.0.100/2226) to dmz1:201.1.10.11/8009
(201.1.10.11/8009)
%ASA-6-302014: Teardown TCP connection 236 for
outside:201.1.0.100/2226 to dmz1:201.1.10.11/8009 duration 0:00:00
bytes 867 TCP FINs
%ASA-6-302013: Built inbound TCP connection 237 for
outside:201.1.0.100/2228 (201.1.0.100/2228) to dmz1:201.1.10.11/8009
(201.1.10.11/8009)

But this is the best part!
When I put a Router to replace VPN all the services work fine (Telnet, HTTP,
ICMP) from any interface to other.

Also I put back the VPN and I replace the ASA for a Router all the services
work fine (Telnet, HTTP, ICMP) from any interface to other.

All the devices are connected to the same switch.

I will appreciate any idea or support about the issue.

Regards,

Manuel
Received on Fri Apr 03 2009 - 00:42:11 ART