Cisco ASA: which side is “inside” with same security-level

aclciscocisco-asafirewallpix

I have an issue with an FWSM apparently killing RDP sessions after a random amount of time, and the log entry looks like:

Teardown TCP connection 145379776990678860 for MS_LZ1:10.30.3.150/49924 to LZ1_MS:10.254.0.217/3389 duration 0:01:58 bytes 705828 TCP Reset-I

I understand that "TCP Reset-I" means that a TCP Reset was received on the 'inside' interface, but in this particular firewall, both interfaces are security-level 0. Which one is the inside?

Best Answer

I understand that "TCP Reset-I" means that a TCP Reset was received on the 'inside' interface, but in this particular firewall, both interfaces are security-level 0. Which one is the inside?

I have been looking at the PIX and FWSM docs for the last 30 minutes. I could not find a source that clearly stated how the PIX / FWSM behaves in this situation.

Unfortunately, I don't think there is a way to know with 100% certainty without a packet capture to find the source of the reset.

FYI, Cisco ASA flow-drop rules say that TCP Reset-I is used for same-security traffic; since the FWSM and ASA are so close, I think it's a strong possibility that the syslogs simply don't give you enough information in this case.

Related Topic