Cisco – ASA Error message %ASA-7-710005: TCP request discarded
Posted by Josh on Fri 26 Oct 2007Categories: Cisco , Cisco Routers - [9] Comments
I ran into a strange issue with a Cisco ASA firewall today. The firewall was not passing traffic to the internal host although I had the static statement configured and access-lists allowing incoming traffic.
static (inside,outside) tcp 12.34.56.78 smtp 10.1.1.50 smtp netmask 255.255.255.255
access-list acl_outside permit tcp any host 12.34.56.78 eq 25
access-group acl_outside in interface outside
With the logging level set at 5, I did not see anything in the logs. I just noticed the access-list counters were not incrementing and the connection wasn’t working. I changed the logging level to 7 and started seeing the following error message:
Oct 25 2007 16:30:16: %ASA-7-710005: TCP request discarded from 4.4.4.4/42977 to outside: 12.34.56.78/25
The problem was that I configured the static statement with the public ip address of the outside interface instead of the ‘interface’ keyword.
Incorrect:
static (inside,outside) tcp 12.34.56.78 smtp 10.1.1.50 smtp netmask 255.255.255.255
Correct:
static (inside,outside) tcp interface smtp 10.1.1.50 smtp netmask 255.255.255.255
November 21st, 2007 at 8:17 am
Man I was trying to get it fixed for whole day
Big thanks for the solution!!!
November 26th, 2007 at 1:39 pm
I think that only applies to the interface IP. If you have a range of IP’s available on the outside interface you’d still have to specify the IP and not “interface” for the other IP’s. I imagine this is something you might run into with a 5505 as it’s more likely that the outside interface will only be a /30 and not something larger. I haven’t run into many cases where you’d have a /30 running on something bigger than a 5505. The code’s the same though, regardless.
November 26th, 2007 at 10:35 pm
Scott,
You are correct. This only applies to the ip address of the interface. Thanks for helping clear that up.
Josh
December 6th, 2007 at 8:31 am
I ran at the same stupid problem with ASA 5505 exactly and it took me a couple of hours troubleshooting before doing the totally illogical thing of changing the PAT statement to use the interface instead of the actual address. This product is probably done by the same idiots that designed the Catalyst 500 Express switch (if you’ve ever touched you know what I’m talking about), I hope that their hands will be chopped off in order to save us from the torture of using this crap.
January 9th, 2008 at 4:51 pm
TheGrave, that is why cisco certs earn you the big bucks
May 15th, 2008 at 10:15 am
I have a similar problem with dhcp replies back to an ASA (7.2(2)) being dropped. Any ideas?
%ASA-6-302015: Built outbound UDP connection 458 for inside:141.1.255.8/67 (141.1.255.8/67) to NP Identity Ifc:141.1.255.12/68 (141.1.255.12/68)
%ASA-7-710005: UDP request discarded from 141.1.255.8/67 to inside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 141.1.255.8/67 to inside:255.255.255.255/67
January 25th, 2009 at 2:40 pm
Thanks, Josh!
August 13th, 2009 at 11:09 am
I have the same problem. After I configured my new ASA 5505 with multiple PAT address I was not able to see any traffic passing the appliance in and out. I was able to ping both the inside and outside interface including through my security router to my border router and was not able to show any traffic counts with my access list. Why wasn’t there any warning from cisco about this? The only sure thing I got from there tutorial was, as long as you have configured a default route in your appliance i.e. route outside 0.0.0.0 0.0.0.0 “gateway” 1 , you should be able to pass all your traffic in and out the appliance,but this was not the case. Is there any one out there has any solution for multiple PAT thorugh the ASA?
November 2nd, 2009 at 8:30 pm
Hi Josh,
I just wanted to say thanks for this post. It has saved me from tearing my hair out. I also want to let everyone know, I ran into this problem with a PIX 515 running 8.0 and 7.2(4). So just keep in mind, this is not just an ASA issue.
Thanks again!