Problem : ASA5505 Deny TCP Across VPN
I am having trouble with a TCP connection being denied. Here is my setup. My main firewall is a Cisco ASA 5505 (192.168.1.1). I also have another VPN concentrator device for some corporate VPN connectivity (Nortel Contivity) (192.168.1.253). I can successfully AnyConnect VPN into my ASA5505 and use any local resources just fine. My Clients are being assigned on the same subnet as my internal nework via DHCP (192.168.1.x). I have a route for the 199.62.252.0 network to my Nortel Contivity VPN concentrator to let my ASA VPN clients access those VPN’s across the nortel. I have added the networks into the nat exclusion list and am able to ping the hosts across my AnyConnect VPN which then gets routed to the Nortel. When I try to access a web page across the VPN i get Deny TCP (no Connection) errors. I can see that the TCP connection is being built, but i am still getting the Deny Messages. i have also attached my ASA configuration.
ASA Deny Messages
Built inbound TCP connection 23778 for outside:192.168.1.51/3473 (192.168.1.51/3473) to inside:199.62.252.243/80 (199.62.252.243/80) (vpnuser)
Deny TCP (no connection) from 199.62.252.243/80 to 192.168.1.51/3473 flags SYN ACK on interface outside
Deny TCP (no connection) from 199.62.252.243/80 to 192.168.1.51/3473 flags SYN ACK on interface outside
Deny TCP (no connection) from 199.62.252.243/80 to 192.168.1.51/3473 flags PSH ACK on interface outside
Deny TCP (no connection) from 199.62.252.243/80 to 192.168.1.51/3473 flags PSH ACK on interface outside
Deny TCP (no connection) from 199.62.252.243/80 to 192.168.1.51/3473 flags PSH ACK on interface outside
Deny TCP (no connection) from 199.62.252.243/80 to 192.168.1.51/3473 flags PSH ACK on interface outside
Deny TCP (no connection) from 199.62.252.243/80 to 192.168.1.51/3473 flags RST ACK on interface outside
Deny TCP (no connection) from 199.62.252.243/80 to 192.168.1.51/3473 flags RST on interface outside
Any help would be appreciated.
Solution: ASA5505 Deny TCP Across VPN
>>but if it goes to the ASA first, then the ASA routes it the problem of TCP Deny messages happen.
That is correct. The ASA will not perform this type of traffic routing because it is not a true router…it’s a firewall. A normal router would typically receive the traffic on it’s Ethernet interface, check the route in its routing table to see what the best route to the destination network is, and then upon discovering that the best route is through anothe gateway on the same subnet as the interface on which it received the traffic, it will issue ICMP redirects back to the client machine telling it that the gateway to that destination network is over here at this alternate IP on the same subnet and not itself. The ASA will not perform this ICMP redirect operation.
The best way to handle this scenario is to place a L3 device (router or L3 switch) on the subnet where this is happening (in this case, on the 192.168.1.0/24 network) and then configure the default gateway on all clients to be this L3 device. Then, you can make the default route on this router be the ASA’s inside interface, and put in a static route for the 199.62.252.0/24 to point to the Nortel’s inside interface.
I believe I would also consider changing the VPN pool of addresses given out by the ASA to be on a completely different subnet than the internal network of the ASA. I’ve seen flaky behavior when this configuration is in place and I typically recommend against it. If you decide to try this as a troubleshooting step, you would need to add this new subnet for the VPN clients to the interesting traffic of the Nortel VPN connection and also put in a static route on the Nortel VPN Concentrator at 192.168.1.253 to point to the inside interface of the ASA. Just a suggestion… 🙂
