Problem:

After setting up a site to site VPN tunnel on a Cisco ASA firewall, traffic was being dropped with the message “Inbound TCP connection denied from x.x.x.x to x.x.x flags SYN on interface Outside”

Inbound TCP connect denied from x.x.x.x to x.x.x flags SYN on interface Outside

The traffic inbound on this VPN was routing to the destination at the end of another VPN tunnel. Traffic was coming in and out on the same Outside interface.

Inbound TCP connect denied from x.x.x.x to x.x.x flags SYN on interface OutsideSolution:

I already had “same-security-traffic permit intra-interface” set but in addition I also needed “same-security-traffic permit inter-interface” to be set

Warning: Always do your homework on commands before implementing them! https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-command-reference-list.html#wp1392814

Command Line

ASDM

  • Device Setup => Interface Settings => Interfaces
  • Tick
    • “Enable traffic between two or mere interfaces which are configured with same security levels”
    • “Enable traffic between two or more hosts connected to the same interface”
  • Apply
  • Save

Inbound TCP connect denied from x.x.x.x to x.x.x flags SYN on interface Outside