Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ASA 5510 with 8.2(1) drive mappings work, then fail on LAN connections

Reply
Thread Tools

ASA 5510 with 8.2(1) drive mappings work, then fail on LAN connections

 
 
Infosys2008 Infosys2008 is offline
Junior Member
Join Date: Nov 2009
Posts: 1
 
      11-09-2009
Never worked with the ASA's, also I just started working here and we only have ACL's..Any help would be appreciated......we are not Nat'ed at this point..Problems are the LAN is being denied...Drive mappings work then fail...Users have to log off then in but keeps failing...What is wrong with my config??? Errors are at bottom...

ASA Version 8.2(1)
!
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 164.234.17.49 255.255.255.240
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 12.212.177.62 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.100 255.255.255.0
management-only
!
banner motd ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!!
banner motd This is a privately owned computing system.
banner motd Access is permitted only by authorized employees or agents of the company.
banner motd The system may be used only for authorized company business.
banner motd Company management approval is required for all access privileges.
banner motd This system is equipped with a security system intended to prevent and
banner motd record unauthorized access attempts.
banner motd Unauthorized access or use is a crime under the law.
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list outsideIn extended permit ip 133.185.175.0 255.255.255.0 any
access-list outsideIn extended deny ip 220.226.218.0 255.255.255.0 any
access-list outsideIn extended deny ip 110.35.34.0 255.255.255.0 any
access-list outsideIn extended deny ip 24.76.48.0 255.255.255.0 any
access-list outsideIn extended permit ip 12.212.179.0 255.255.255.0 any
access-list outsideIn extended permit tcp any host 12.212.177.72 eq 8009
access-list outsideIn extended permit tcp any host 12.212.177.40 eq www
access-list outsideIn extended permit tcp any 12.212.177.0 255.255.255.192 eq smtp
access-list outsideIn extended permit udp host 133.185.254.252 any
access-list outsideIn extended permit udp host 205.225.182.1 any
access-list outsideIn extended permit udp host 205.225.130.209 any
access-list outsideIn extended permit tcp host 164.234.17.50 host 164.234.17.49 eq telnet
access-list outsideIn extended permit tcp any host 12.212.177.27 eq smtp
access-list outsideIn extended permit tcp any host 12.212.177.27 eq 8167
access-list outsideIn extended permit tcp any host 12.212.177.19 eq 5003
access-list outsideIn extended permit tcp any host 12.212.177.19 eq 18082
access-list outsideIn extended permit udp any host 12.212.177.27 eq 8167
access-list outsideIn extended permit ip 12.212.177.0 255.255.255.0 any
access-list outsideIn extended permit ip 12.212.179.0 255.255.255.128 any
access-list outsideIn extended permit tcp any host 12.212.177.19 eq telnet
access-list outsideIn extended permit tcp any host 12.212.177.16 eq telnet
access-list outsideIn extended permit tcp any host 12.212.177.40 eq telnet
access-list outsideIn extended permit tcp any 12.212.177.0 255.255.255.0 gt 1024
access-list outsideIn extended permit icmp 164.234.17.0 255.255.255.0 any
access-list outsideIn extended permit icmp 172.16.89.0 255.255.255.0 any
access-list outsideIn extended permit ip 12.212.177.0 255.255.255.0 164.234.0.0 255.255.0.0
access-list outsideIn extended deny ip any any log
access-list InsideOut extended permit icmp any any
access-list InsideOut extended permit ip 12.212.177.0 255.255.255.0 any
access-list InsideOut extended permit udp any any
access-list InsideOut extended permit tcp any any
access-list InsideOut extended permit ip any any
pager lines 24
logging enable
logging monitor warnings
logging buffered notifications
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 133.185.0.0 255.255.0.0 echo-reply outside
icmp permit 133.185.0.0 255.255.0.0 echo outside
icmp permit 12.212.177.0 255.255.255.0 echo inside
icmp permit 133.185.0.0 255.255.0.0 echo-reply inside
icmp permit 133.185.0.0 255.255.0.0 echo inside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
static (outside,inside) 12.212.177.0 255.255.255.0 netmask 255.255.255.0
access-group outsideIn in interface outside
access-group InsideOut in interface inside
route outside 0.0.0.0 0.0.0.0 164.234.17.62 1
route inside 164.234.42.0 255.255.255.0 12.212.177.63 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy


class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect http
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global

*********************** Errors below*********************
%ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2545 flags RST ACK on interface inside
%ASA-4-500004: Invalid transport field for protocol=UDP, from 12.212.177.13/4894 to 0.0.0.1/0
%ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2547 flags RST ACK on interface inside
%ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2551 flags RST ACK on interface inside
%ASA-5-304001: 12.212.177.137 Accessed URL 209.80.46.53:/js/counter.js?site=s27Pollster
%ASA-5-304001: 12.212.177.137 Accessed URL 209.80.46.53:/js/counter.asp?site=s27Pollster
%ASA-2-106006: Deny inbound UDP from 125.164.129.185/1235 to 12.212.179.161/24495 on interface outside
%ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2567 flags SYN ACK on interface inside
%ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2553 flags RST ACK on interface inside
%ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2569 flags SYN ACK on interface inside
%ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2555 flags RST ACK on interface inside
%ASA-4-500004: Invalid transport field for protocol=UDP, from 12.212.177.13/4894 to 0.0.0.2/0
%ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2557 flags RST ACK on interface inside
 

Last edited by Infosys2008; 11-09-2009 at 07:19 PM..
Reply With Quote
 
 
 
 
networkerz networkerz is offline
Junior Member
Join Date: May 2010
Posts: 1
 
      07-19-2011
Quote:
Originally Posted by Infosys2008 View Post
Never worked with the ASA's, also I just started working here and we only have ACL's..Any help would be appreciated......we are not Nat'ed at this point..Problems are the LAN is being denied...Drive mappings work then fail...Users have to log off then in but keeps failing...What is wrong with my config??? Errors are at bottom...

%ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2545 flags RST ACK on interface inside

Hi Infosys2008, I've been searching something related to this error and somehow I found your thread. Letís investigate this one by one, weíll start with the error above.

Iíve checked your ACL, itís there.

Line 57: access-list outsideIn extended permit tcp any host 12.212.177.27 eq 8167

But how come you get that error message?
Hint: Always look at the error message and try to figure it out.

In which situation weíll get TCP flaf RST ACK? One of the situation is where the first SYN packet sent by initiator to the recipient have in respond. In other words, the port 8167 is not even listening on 12.212.177.27 or there might be another network devices that blocked this connection.

I would suggest you to do packet-tracer to test firewall rules.

Code:
 
Packet-tracer input <interface> tcp 164.234.42.7 2545 12.212.177.27 8167 detail
You can also do a packet-capture to see more details on what is actually happen in your network. I guess youíll see a number of SYN packet sent from 164.234.42.7 to 12.212.177.27 at port 8167, and then 12.212.177.27 will reply with RST ACK instead of SYN ACK packet.

Hope this will help.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASA 5510 - Allow traffic from dmz to LAN gbottazzi Cisco 0 02-29-2012 08:23 AM
ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN Tilman Schmidt Cisco 5 02-18-2008 12:07 PM
IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116 Tilman Schmidt Cisco 0 01-24-2008 10:49 AM
adding asa 5510 to existing lan coj0nes Cisco 0 07-15-2007 02:37 AM
Lexar Card Reader Drive Mappings conflict with Network Mappings Eric Digital Photography 5 01-16-2004 05:02 PM



Advertisments