RE: TCP Reset - ASA or VPN Problem

Hi Darby,

Here is the config.
I also try this config with the FW in single mode
without subinterfaces and the same result.

But just this morning I was thinking that the
problem could be related to a routing issue in the VPN
concentrator.
It private interface is connected in the same
network that in inside interface and it also had RIP (I read that is enable by
default)

So the traffic is flowing
host>inside>dmz>public but the response from the VPN is coming out the
private interface private>host.

I don't know is this is the issue I will check that
tonight.
What do you think?

Thanks,

Manuel

ASA Version 7.2(2) <context>
!
hostname
c1

names
!
interface Ethernet0/0.2
 nameif
inside
 security-level 100
 ip address 201.1.1.10 255.255.255.0 standby
201.1.1.253
!
interface Ethernet0/0.3
 nameif dmz1
 security-level
10
 ip address 201.1.10.10 255.255.255.0 standby
201.1.10.253
!
interface Ethernet0/0.4
 mac-address
0007.eb39.cc11
 nameif outside
 security-level 0
 ip address 201.1.0.10
255.255.255.0 standby 201.1.0.253
!
passwd 2KFQnbNIdI.2KYOU
encrypted
access-list OUT_ACL extended permit ip any any
access-list DMZ1
extended permit ip any any
pager lines 24
logging enable
mtu inside
1500
mtu dmz1 1500
mtu outside 1500
monitor-interface
inside
monitor-interface dmz1
icmp unreachable rate-limit 1 burst-size
1
no asdm history enable
arp timeout 14400
access-group DMZ1 in
interface dmz1
access-group OUT_ACL in interface outside
route inside
170.1.1.0 255.255.255.0 201.1.1.1 1
route inside 170.100.1.0 255.255.255.0
201.1.1.1 1
route outside 0.0.0.0 0.0.0.0 201.1.0.3 1
timeout xlate
3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server
location
no snmp-server contact
telnet timeout 5
ssh timeout
5
!
class-map inspection_default
 match
default-inspection-traffic
!
!
policy-map type inspect dns
preset_dns_map
 parameters
  message-length maximum 512
policy-map
global_policy
 class inspection_default
  inspect dns preset_dns_map

inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect
netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect
esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect
sip
  inspect xdmcp
!
service-policy global_policy
global
Cryptochecksum:00000000000000000000000000000000
: end

From: Darby Weaver
Sent: Friday, April 03, 2009 10:58 AM
To: Manuel Rocha
Cc: ccielab_at_groupstudy.com
Subject: Re: TCP Reset - ASA or VPN Problem

Where is your config?

On Fri, Apr 3, 2009 at 12:42 AM, Manuel Rocha <mrocha1_at_hotmail.com> wrote:

Hello
Experts,

I have a weird problem and I don't now what could be
cause.

I had something like this:

VPN (public)------------(dmz
50) ASA (inside 100)--------------f0/0 Router

FAIL
 <---------------TCP-----------

I had an ACL permit IP any any in
dmz interface.

The connection from a higher security level
interface to a lower is suppouse
to pass by default (no nat-control)
The
ICMP traffic pass OK from R to VPN.

When I tried a TCP
application telnet or http I see something like this in
the
ASA

TELNET FROM INSIDE TO DMZ
%ASA-6-302013: Built
outbound TCP connection 242 for
dmz1:201.1.10.11/23 (201.1.10.11/23) to inside:201.1.1.1/11003
(201.1.1.1/11003)
%ASA-6-302014: Teardown TCP connection 242
for dmz1:201.1.10.11/23
to
inside:201.1.1.1/11003
duration 0:00:00 bytes 0 TCP Reset-I

HTTP FROM INSIDE TO
DMZ
%ASA-6-302013: Built outbound TCP connection 246 for
dmz1:201.1.10.11/8008 (201.1.10.11/8008) to inside:201.1.1.1/11004
(201.1.1.1/11004)
%ASA-6-302014: Teardown TCP connection 246
for dmz1:201.1.10.11/8008
to inside:201.1.1.1/11004 duration 0:00:00 bytes 0 TCP
Reset-I

HTTPS FROM INSIDE TO DMZ
%ASA-6-302013: Built outbound TCP
connection 250 for
dmz1:201.1.10.11/8009 (201.1.10.11/8009) to inside:201.1.1.1/11005
(201.1.1.1/11005)
%ASA-6-302014: Teardown TCP connection 250
for dmz1:201.1.10.11/8009
to inside:201.1.1.1/11005 duration 0:00:00 bytes 0 TCP
Reset-I

****************

When the connection is from a
lower security level to a higher. With an ACL to
allow the traffic it
works!

VPN (public)------------(dmz 50) ASA (outside
0)--------------f0/0 Router
PASS
 <-----------TCP-----------

TELNET FROM OUTSIDE TO
DMZ
%ASA-7-609001: Built local-host outside:201.1.0.100
%ASA-7-609001:
Built local-host dmz1:201.1.10.11
%ASA-6-302013: Built inbound TCP connection
231 for
outside:201.1.0.100/2114 (201.1.0.100/2114) to dmz1:201.1.10.11/23
(201.1.10.11/23)

HTTP FROM OUTSIDE TO
DMZ
%ASA-6-302013: Built inbound TCP connection 232 for
outside:201.1.0.100/2179 (201.1.0.100/2179) to dmz1:201.1.10.11/8008
(201.1.10.11/8008)
%ASA-6-302013: Built inbound TCP
connection 233 for
outside:201.1.0.100/2180 (201.1.0.100/2180) to dmz1:201.1.10.11/8008
(201.1.10.11/8008)

HTTPS FROM OUTSIDE TO
DMZ
 %ASA-6-302013: Built inbound TCP connection 236 for
outside:201.1.0.100/2226 (201.1.0.100/2226) to dmz1:201.1.10.11/8009
(201.1.10.11/8009)
%ASA-6-302014: Teardown TCP connection
236 for
outside:201.1.0.100/2226 to dmz1:201.1.10.11/8009 duration 0:00:00
bytes 867 TCP
FINs
%ASA-6-302013: Built inbound TCP connection 237 for
outside:201.1.0.100/2228 (201.1.0.100/2228) to dmz1:201.1.10.11/8009
(201.1.10.11/8009)

But this is the best
part!
When I put a Router to replace VPN all the services work fine (Telnet,
HTTP,
ICMP) from any interface to other.

Also I put back the VPN and I
replace the ASA for a Router all the services
work fine (Telnet, HTTP, ICMP)
from any interface to other.

All the devices are connected to the same
switch.

I will appreciate any idea or support about the
issue.

Regards,

Manuel
Received on Fri Apr 03 2009 - 12:46:04 ART