After setting up a site to site VPN tunnel on a Cisco ASA firewall, traffic was being dropped with the message “Inbound TCP connection denied from x.x.x.x to x.x.x flags SYN on interface Outside”
The traffic inbound on this VPN was routing to the destination at the end of another VPN tunnel. Traffic was coming in and out on the same Outside interface.
I already had “same-security-traffic permit intra-interface” set but in addition I also needed “same-security-traffic permit inter-interface” to be set
Warning: Always do your homework on commands before implementing them! https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-command-reference-list.html#wp1392814
conf t same-security-traffic permit intra-interface same-security-traffic permit inter-interface
- Device Setup => Interface Settings => Interfaces
- “Enable traffic between two or mere interfaces which are configured with same security levels”
- “Enable traffic between two or more hosts connected to the same interface”