Where is your config?
On Fri, Apr 3, 2009 at 12:42 AM, Manuel Rocha <mrocha1_at_hotmail.com> wrote:
> Hello Experts,
>
>
>
> I have a weird problem and I don't now what could be cause.
>
>
> I had something like this:
>
> VPN (public)------------(dmz 50) ASA (inside 100)--------------f0/0 Router
>
> FAIL <---------------TCP-----------
>
>
> I had an ACL permit IP any any in dmz interface.
>
>
>
> The connection from a higher security level interface to a lower is
> suppouse
> to pass by default (no nat-control)
> The ICMP traffic pass OK from R to VPN.
>
>
>
> When I tried a TCP application telnet or http I see something like this in
> the
> ASA
>
>
>
> TELNET FROM INSIDE TO DMZ
> %ASA-6-302013: Built outbound TCP connection 242 for
> dmz1:201.1.10.11/23 (201.1.10.11/23) to inside:201.1.1.1/11003
> (201.1.1.1/11003)
> %ASA-6-302014: Teardown TCP connection 242 for dmz1:201.1.10.11/23 to
> inside:201.1.1.1/11003 duration 0:00:00 bytes 0 TCP Reset-I
>
> HTTP FROM INSIDE TO DMZ
> %ASA-6-302013: Built outbound TCP connection 246 for
> dmz1:201.1.10.11/8008 (201.1.10.11/8008) to inside:201.1.1.1/11004
> (201.1.1.1/11004)
> %ASA-6-302014: Teardown TCP connection 246 for dmz1:201.1.10.11/8008
> to inside:201.1.1.1/11004 duration 0:00:00 bytes 0 TCP Reset-I
>
> HTTPS FROM INSIDE TO DMZ
> %ASA-6-302013: Built outbound TCP connection 250 for
> dmz1:201.1.10.11/8009 (201.1.10.11/8009) to inside:201.1.1.1/11005
> (201.1.1.1/11005)
> %ASA-6-302014: Teardown TCP connection 250 for dmz1:201.1.10.11/8009
> to inside:201.1.1.1/11005 duration 0:00:00 bytes 0 TCP Reset-I
>
>
>
> ****************
>
>
> When the connection is from a lower security level to a higher. With an ACL
> to
> allow the traffic it works!
>
>
>
> VPN (public)------------(dmz 50) ASA (outside 0)--------------f0/0 Router
> PASS <-----------TCP-----------
>
>
> TELNET FROM OUTSIDE TO DMZ
> %ASA-7-609001: Built local-host outside:201.1.0.100
> %ASA-7-609001: Built local-host dmz1:201.1.10.11
> %ASA-6-302013: Built inbound TCP connection 231 for
> outside:201.1.0.100/2114 (201.1.0.100/2114) to dmz1:201.1.10.11/23
> (201.1.10.11/23)
>
>
>
> HTTP FROM OUTSIDE TO DMZ
> %ASA-6-302013: Built inbound TCP connection 232 for
> outside:201.1.0.100/2179 (201.1.0.100/2179) to dmz1:201.1.10.11/8008
> (201.1.10.11/8008)
> %ASA-6-302013: Built inbound TCP connection 233 for
> outside:201.1.0.100/2180 (201.1.0.100/2180) to dmz1:201.1.10.11/8008
> (201.1.10.11/8008)
>
>
>
> HTTPS FROM OUTSIDE TO DMZ
> %ASA-6-302013: Built inbound TCP connection 236 for
> outside:201.1.0.100/2226 (201.1.0.100/2226) to dmz1:201.1.10.11/8009
> (201.1.10.11/8009)
> %ASA-6-302014: Teardown TCP connection 236 for
> outside:201.1.0.100/2226 to dmz1:201.1.10.11/8009 duration 0:00:00
> bytes 867 TCP FINs
> %ASA-6-302013: Built inbound TCP connection 237 for
> outside:201.1.0.100/2228 (201.1.0.100/2228) to dmz1:201.1.10.11/8009
> (201.1.10.11/8009)
>
>
>
> But this is the best part!
> When I put a Router to replace VPN all the services work fine (Telnet,
> HTTP,
> ICMP) from any interface to other.
>
> Also I put back the VPN and I replace the ASA for a Router all the services
> work fine (Telnet, HTTP, ICMP) from any interface to other.
>
> All the devices are connected to the same switch.
>
> I will appreciate any idea or support about the issue.
>
>
> Regards,
>
>
> Manuel
>
> _________________________________________________________________
> Rediscover Hotmail.: Get e-mail storage that grows with you.
>
> http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Stor
> age1_042009
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Apr 03 2009 - 10:58:50 ART
This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:11 ART