blindhog.net

I ran into a strange issue with a Cisco ASA firewall today. The firewall was not passing traffic to the internal host although I had the static statement configured and access-lists allowing incoming traffic.

    static (inside,outside) tcp 12.34.56.78 smtp 10.1.1.50 smtp netmask 255.255.255.255
    access-list acl_outside permit tcp any host 12.34.56.78 eq 25
    access-group acl_outside in interface outside

 

 

With the logging level set at 5, I did not see anything in the logs. I just noticed the access-list counters were not incrementing and the connection wasn’t working. I changed the logging level to 7 and started seeing the following error message:

    Oct 25 2007 16:30:16: %ASA-7-710005: TCP request discarded from 4.4.4.4/42977 to outside: 12.34.56.78/25

The problem was that I configured the static statement with the public ip address of the outside interface instead of the ‘interface’ keyword.

   Incorrect:
    static (inside,outside) tcp 12.34.56.78 smtp 10.1.1.50 smtp netmask 255.255.255.255

 

    Correct:
    static (inside,outside) tcp interface smtp 10.1.1.50 smtp netmask 255.255.255.255

 

Be Sociable, Share!

• 

• Tweet

16 Responses to “Cisco – ASA Error message %ASA-7-710005: TCP request discarded”

1. Weis Says:
   November 21st, 2007 at 8:17 am

   Man I was trying to get it fixed for whole day Big thanks for the solution!!!

2. Scott Says:
   November 26th, 2007 at 1:39 pm

   I think that only applies to the interface IP. If you have a range of IP’s available on the outside interface you’d still have to specify the IP and not “interface” for the other IP’s. I imagine this is something you might run into with a 5505 as it’s more likely that the outside interface will only be a /30 and not something larger. I haven’t run into many cases where you’d have a /30 running on something bigger than a 5505. The code’s the same though, regardless.

3. admin Says:
   November 26th, 2007 at 10:35 pm

   Scott,

   You are correct. This only applies to the ip address of the interface. Thanks for helping clear that up.

   Josh

4. TheGrave Says:
   December 6th, 2007 at 8:31 am

   I ran at the same stupid problem with ASA 5505 exactly and it took me a couple of hours troubleshooting before doing the totally illogical thing of changing the PAT statement to use the interface instead of the actual address. This product is probably done by the same idiots that designed the Catalyst 500 Express switch (if you’ve ever touched you know what I’m talking about), I hope that their hands will be chopped off in order to save us from the torture of using this crap.

5. bky Says:
   January 9th, 2008 at 4:51 pm

   TheGrave, that is why cisco certs earn you the big bucks

6. Ryan Says:
   May 15th, 2008 at 10:15 am

   I have a similar problem with dhcp replies back to an ASA (7.2(2)) being dropped. Any ideas?

   %ASA-6-302015: Built outbound UDP connection 458 for inside:141.1.255.8/67 (141.1.255.8/67) to NP Identity Ifc:141.1.255.12/68 (141.1.255.12/68)
   %ASA-7-710005: UDP request discarded from 141.1.255.8/67 to inside:255.255.255.255/67
   %ASA-7-710005: UDP request discarded from 141.1.255.8/67 to inside:255.255.255.255/67

7. Anton Says:
   January 25th, 2009 at 2:40 pm

   Thanks, Josh!

8. greg Says:
   August 13th, 2009 at 11:09 am

   I have the same problem. After I configured my new ASA 5505 with multiple PAT address I was not able to see any traffic passing the appliance in and out. I was able to ping both the inside and outside interface including through my security router to my border router and was not able to show any traffic counts with my access list. Why wasn’t there any warning from cisco about this? The only sure thing I got from there tutorial was, as long as you have configured a default route in your appliance i.e. route outside 0.0.0.0 0.0.0.0 “gateway” 1 , you should be able to pass all your traffic in and out the appliance,but this was not the case. Is there any one out there has any solution for multiple PAT thorugh the ASA?

9. Julie Says:
   November 2nd, 2009 at 8:30 pm

   Hi Josh,

   I just wanted to say thanks for this post. It has saved me from tearing my hair out. I also want to let everyone know, I ran into this problem with a PIX 515 running 8.0 and 7.2(4). So just keep in mind, this is not just an ASA issue.

   Thanks again!

10. Doff Says:
    November 26th, 2010 at 12:54 pm

    Crazy that I ran into BlindHog after all these years!

    Also, keep an eye out for any DNS issues related to DNSsec and EDNSO. If the FW (specifically a pix or ASA) is configured, by default, for DNS packet inspection, which is set at 512b any DNS packets larger than the default configured size will be dropped. DNSSec will always be larger than 512b. Starting in 8.2.2 of Cisco ASA software ver, it is possible to configure the setting as auto in the DNS Inspection size.

    ASA configuration:
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum maximum client auto

    On the ASA, you can issue the ‘sh asp drop frame’ to view the stats of any DNS related drops.
    internetfw# sh asp drop frame
    DNS Inspect invalid packet (inspect-dns-invalid-pak) 603
    DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 17513
    DNS Inspect packet too long (inspect-dns-pak-too-long) 2101
    DNS Inspect id not matched (inspect-dns-id-not-matched) 57638

    Comcast has a link to a testing site to see if your firewall handles the DNSsec properly.
    http://www.dnssec-failed.org/

    http://www.dnssec.comcast.net/

11. Josh Says:
    December 1st, 2010 at 1:15 pm

    DOFF! We were just talking about you yesterday (Spirk’s going away lunch).

    Good to see you on the site. Thanks for all the helpful tips.

12. Izoj Says:
    January 25th, 2011 at 5:01 am

    Tell me about it!!!
    I have been trying to deploy this “smart” ASA 5505 on a part time basis – 3 weeks. Its not working well yet.

    My set up is as follows:
    ISP CiscoRTR(1700 or 800)ASA5505LAN

    Internal clients can now browse and send mail; but incoming mails are blocked.

    After capture of SMTP, I found that mss is larger than 512bytes DNSSec message-length.

    Tried to change and this is what the ASDM 5.x is doing:

    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    message-length maximum client auto

    Incoming mails are still blocked, I understand the device is still using 512 in preference to client auto.

    Anyone with a hint to find a work around.

    Rgds

13. Bennie Rayno Says:
    February 9th, 2011 at 9:50 pm

    Thanks for sharing superb informations. Your web site is so cool. I am impressed by the details that you have on this site. It reveals how nicely you understand this subject. Bookmarked this website page, will come back for extra articles. You, my pal, ROCK! I found simply the info I already searched everywhere and just could not come across.

14. Chris Says:
    February 11th, 2011 at 4:06 pm

    Thanks for the post! Helped us out!

15. sativa18 Says:
    August 10th, 2012 at 10:31 am

    i have the same basic issue, although my 5505 runs fine for (normally) 2 weeks, then it shuts the door to all genuine incoming traffic that was previously working fine!

    interestigly incoming VPN and ssl VPN works while “normal” traffic is refused (or discarded as per ciscos event)

    To resolve the issue i have to issue NO NAT statements for each NAT, wait 10 seconds, then re-apply the NATs to make incoming traffic work.

    quite a pain really.

    All my NAT statements use the “interface” keyword rather than the /30 IP we have.

    Further debugging has shown the Cisco claims this traffic is hitting an ACL, but does not show us which, and of course there is no such ACL since it works for weeks at a time.

    Encouraged

    M

16. Michael Says:
    January 6th, 2013 at 9:37 am

    RevoAmerica Cisco Pix Firewall Configuration
    For those of you looking for the proper configuration to allow connecitivyt to your Revo America security system, here it is. y.y.y.y is your internal address and z.z.z.z is your external IP address your router is obtains via DHCP from your ISP.

    static (inside,outside) tcp interface 8016 y.y.y.y 8016 netmask 255.255.255.255
    static (inside,outside) tcp interface 8116 y.y.y.y 8116 netmask 255.255.255.255
    static (inside,outside) tcp interface 8200 y.y.y.y 8200 netmask 255.255.255.255
    static (inside,outside) tcp interface 10019 y.y.y.y 10019 netmask 255.255.255.255
    static (inside,outside) tcp interface 12088 y.y.y.y 12088 netmask 255.255.255.255
    static (inside,outside) tcp interface rtsp y.y.y.y rtsp netmask 255.255.255.255
    access-list inbound extended permit tcp any host z.z.z.z eq 8016
    access-list inbound extended permit tcp any host z.z.z.z eq 8116
    access-list inbound extended permit tcp any host z.z.z.z eq 8200
    access-list inbound extended permit tcp any host z.z.z.z eq 10019
    access-list inbound extended permit tcp any host z.z.z.z eq 12088
    access-list inbound extended permit tcp any host z.z.z.z eq rtsp

Leave a Reply