Solved

Moneris POS terminal doesn't connect properly since replacing a managed firewall with an ASA5505

Posted on 2007-03-20
15
2,669 Views
Last Modified: 2008-01-09
I recently removed a managed firewall device (Linux based proprietary firewall) with a Cisco ASA5505. Now since the installation our Moneris POS terminals (for processing debit/credit card transactions) they continually fail to connect the first time (every time) after a undetermined period of inactivity.  Once the first transaction fails the second attempt will work and it continues to work for X number of miinutes.  At this stage the only theory I have is that once the NAT translation connection between the POS and the outside is ended the terminal has not reconnect and then it fails the first time again for some reason.  There is one interesting thing in the logs:

Mar 20 09:41:14 192.168.1.254 %ASA-6-302013: Built outbound TCP connection 40952 for outside:xxx.xxx.63.80/443 (xxx.xxx.63.80/443) to inside:192.168.1.144/60851 (firstip/16544)
Mar 20 09:41:16 192.168.1.254 %ASA-6-302020: Built ICMP connection for faddr 192.168.1.144/0 gaddr 192.168.1.254/4388 laddr 192.168.1.254/4388
Mar 20 09:41:16 192.168.1.254 %ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.144/0 gaddr 192.168.1.254/4388 laddr 192.168.1.254/4388
Mar 20 09:41:20 192.168.1.254 %ASA-6-302014: Teardown TCP connection 40952 for outside:xxx.xxx.63.80/443 to inside:192.168.1.144/60851 duration 0:00:05 bytes 2886 TCP FINs
Mar 20 09:41:20 192.168.1.254 %ASA-4-106023: Deny tcp src outside:xxx.xxx.63.80/443 dst inside:firstip/16544 by access-group "outside_access_in" [0x0, 0x0]

The tcp connection gets 'torndown' and then appears to be another packet from the other side even after the 'FIN' and the connection being taken down.

Hopefully someone else has experienced something similar and has an idea how to fix this.

0
Comment
Question by:techeez
15 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
How do you have your NAT configured? Can you post your config?
0
 
LVL 1

Author Comment

by:techeez
Comment Utility
I should have mentioned that all other inbound NATting and outbound NATting is working correctly... But here's the config:

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name xxxyyy.com
enable password XXXXXXXXXXXXXX encrypted
names
name xx.xxx.195.68 downtown description Downtown
name 192.168.1.245 ganymede description Ganymede's Internal IP
name 192.168.1.250 hercules description Hercule's Internal IP
name 192.168.1.243 io description IO's internal IP
name 192.168.1.247 jupiter description Jupiter's Internal IP
name 192.168.1.248 mercury description Mercury's Internal IP
name 192.168.1.244 europa description Europa's Internal IP
name 192.168.1.240 pos1 description Quasar POS Till #1
name xx.xx.xxx.187 secondip description Second External IP Address
name xx.xx.xxx.186 firstip
!
interface Vlan1
 description Inside Interfaces
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address firstip 255.255.252.0
!
interface Vlan12
 description DMZ
 nameif dmz
 security-level 10
 ip address 192.168.20.254 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 12
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec You have reached the ASA at the factory. Go away.
banner motd Thanks for logging into to $(hostname).$(domain)
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 24.59.160.13
 name-server 24.59.160.15
 domain-name xxxyyy.com
same-security-traffic permit intra-interface
access-list outside_cryptomap extended permit ip any 192.168.1.192 255.255.255.224
access-list outside_cryptomap_1 extended permit ip any 192.168.1.192 255.255.255.224
access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no-nat extended permit ip any 192.168.1.192 255.255.255.224
access-list outside_access_in remark icmp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host firstip eq ssh
access-list outside_access_in extended permit tcp any host firstip eq 2222
access-list outside_access_in extended permit tcp any host firstip eq 2200
access-list outside_access_in extended permit tcp any host firstip eq www
access-list outside_access_in extended permit tcp any host firstip eq 3389
access-list outside_access_in extended permit tcp any host firstip eq 3390
access-list outside_access_in extended permit tcp any host firstip eq 5901
access-list outside_access_in extended permit tcp any host firstip eq 5902
access-list outside_access_in extended permit tcp any host firstip eq 5903
access-list outside_access_in extended permit tcp any host firstip eq 5991
access-list outside_access_in extended permit tcp any host firstip eq 5992
access-list outside_access_in extended permit tcp any host firstip eq 5981
access-list outside_access_in extended permit tcp any host secondip eq 3389
access-list outside_access_in extended permit tcp any host secondip eq 3390
access-list outside_access_in extended permit tcp any host secondip eq https
access-list outside_access_in extended permit tcp any host secondip eq 2222
access-list outside_access_in extended permit tcp any host secondip eq ssh
access-list outside_access_in extended permit tcp any host secondip eq 2200
access-list outside_access_in extended permit tcp host 216.220.63.80 eq https host 192.168.1.140
access-list tac extended permit icmp host 192.168.2.101 any
access-list tac extended permit icmp any host 192.168.2.101
access-list tac extended permit ip host 192.168.2.101 any
access-list tac extended permit ip any host 192.168.2.101
access-list split standard permit 192.168.1.0 255.255.255.0
access-list split remark Access to downtown
access-list split standard permit 192.168.2.0 255.255.255.0
access-list packetinbound extended permit tcp host 203.167.75.41 host 24.108.64.58 eq 3390
access-list packetinbound extended permit tcp host 203.167.75.41 eq 3390 host 24.108.64.58
access-list packetinbound extended permit tcp host 24.108.64.58 host 203.167.75.41
access-list packetinbound extended permit tcp host 24.108.64.59 host 203.167.75.41
access-list packetinbound extended permit tcp host 203.167.75.41 eq 3389 host 24.108.64.59
access-list packetoutbound extended permit tcp host ganymede any
access-list packetoutbound extended permit tcp any host ganymede
access-list packetoutbound extended permit tcp host jupiter any
access-list packetoutbound extended permit tcp any host jupiter
access-list sysadmin_splitTunnelAcl standard permit any
access-list outside_cryptomap_2 extended permit ip any 192.168.1.192 255.255.255.224
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging host inside mercury
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 192.168.1.200-192.168.1.219 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3390 ganymede 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 5800 mercury 5800 netmask 255.255.255.255
static (inside,outside) tcp interface 5901 mercury 5901 netmask 255.255.255.255
static (inside,outside) tcp interface 5902 mercury 5902 netmask 255.255.255.255
static (inside,outside) tcp interface 5903 mercury 5903 netmask 255.255.255.255
static (inside,outside) tcp interface 3050 mercury 3050 netmask 255.255.255.255
static (inside,outside) tcp interface 2638 mercury 2638 netmask 255.255.255.255
static (inside,outside) tcp interface 3598 mercury 3598 netmask 255.255.255.255
static (inside,outside) tcp interface 3599 mercury 3599 netmask 255.255.255.255
static (inside,outside) tcp interface 2200 europa ssh netmask 255.255.255.255
static (inside,outside) tcp secondip https europa https netmask 255.255.255.255
static (inside,outside) tcp secondip 2222 mercury ssh netmask 255.255.255.255
static (inside,outside) tcp interface 3389 jupiter 3389 netmask 255.255.255.255
static (inside,outside) tcp secondip 3390 europa 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.68.128.1 1
timeout xlate 3:00:00
timeout conn 3:00:00 half-closed 1:00:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value vpnpool
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy sysadmin internal
group-policy sysadmin attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
group-policy xxxyyy internal
group-policy xxxyyy attributes
 vpn-simultaneous-logins 10
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage enable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value xxxyyychocolates.com
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 nem enable
username abutters password yFSjpvuEBasDY03M encrypted privilege 15
username cgoodacre password Xiw5Kv8O.hI2c5zy encrypted privilege 0
username cgoodacre attributes
 vpn-group-policy sysadmin
username cisco password sg7tV9x2U0OP513E encrypted privilege 15
username downtown851 password /Zs3AFJVNkfCjk43 encrypted privilege 0
username downtown851 attributes
 vpn-group-policy xxxyyy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 120 retry 2
tunnel-group DefaultRAGroup general-attributes
 address-pool vpnpool
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 120 retry 2
tunnel-group xxxyyy type ipsec-ra
tunnel-group xxxyyy general-attributes
 default-group-policy xxxyyy
tunnel-group xxxyyy ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 2
tunnel-group sysadmin type ipsec-ra
tunnel-group sysadmin general-attributes
 address-pool vpnpool
 default-group-policy sysadmin
tunnel-group sysadmin ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 2
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 24.59.160.13 24.59.160.15
dhcpd domain xxxyyy.com.local
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.199 inside
dhcpd dns 24.59.160.13 24.59.160.15 interface inside
dhcpd domain xxxyyy.com.local interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

!
!
prompt hostname context
Cryptochecksum:150b0142c22c0d6389da6285d42ccc8a
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Do I understand correctly that host 192.168.1.144 initiates an https connection to host xxx.xxx.63.80
And xxx.xxx.63.80 is *not* one of your public IP addresses?

>dhcpd dns 24.59.160.13 24.59.160.15 interface inside
I notice that you are using public DNS servers, and not internal servers. Does host xx.xx.63.80 resolve to the correct IP address, and does it does that server do any type of return traffic validation, like reverse dns lookup?
0
 
LVL 1

Author Comment

by:techeez
Comment Utility
Yes to both.

I don't know why I xxx'd out the IP address ... it's Moneris's public ip:
ipgate.moneris.com
which currently resolves to:
216.220.63.80.

I do use public DNS servers on the firewall... even though I have an internal dns server for the Win2k3 domain.   It does resolve to the correct IP.  No idea what traffic it does in return, and have spoken to Moneris themselves who tell me that they don't have tech support for anything to do with a firewall issue.  This is clearly asa specific though, as both the 851 in my other location and the previous firewall at the factory worked fine.  I've got a very simple config on the 851 with no inbound NATting.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Given this error message, let's try adding a specific acl entry for this traffic

Mar 20 09:41:20 192.168.1.254 %ASA-4-106023: Deny tcp src outside:xxx.xxx.63.80/443 dst inside:firstip/16544 by access-group "outside_access_in" [0x0, 0x0]


access-list outside_access_in extended permit tcp host 216.220.63.80 eq 443 interface outside

It that works, at least we have a working starting point.
0
 
LVL 1

Author Comment

by:techeez
Comment Utility
Hi Lrm,

Thanks for the suggestion.... I've added it but am skeptical that it will work... The only traffic that can come back to the right place in the first place is when the NAT connection is open and that deny error that you are referring to occurs because it's torn down the connection and then the outside sends another packet after the connection's been torndown.
I won't be able to determine if it was successful until tomorrow as the retail store is closed.  I will hear pretty quickly in the morning if it's still occuring.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 10

Expert Comment

by:Sorenson
Comment Utility
I have seen similar log entries in my ASA logs.  I have been investigating them, although we do not have any reports from the users stating that things are slow or broken.. I believe it has something to do with the timeout for translations, speficially with half open connections.  It appears to happen when a client opens or accesses a slow web page, the client sends a second request, the first request is responded to, and the response from the second request is denied, as the timeout for the translation has occured.  I would suggest tweaking the timeout statement, however I know that increasing timeouts will increase memory and proc utilization on the ASA.
0
 
LVL 1

Author Comment

by:techeez
Comment Utility
Hey lrm

Couldn't check the logs yesterday because I broke my syslog server :(.  So still having the problem after adding the acl that you suggested with the same messages in the log :(

Sorenson good thought... I was thinking along the same lines and did increase the half-closed timeout to 1 hour with seemingly no effect.

I'm going to change the POS  terminals to have a static IP and create a static NAT for one of them (I've only got 2 ip's and already have a static NAT for 443 on the one IP) and see what that does.
0
 
LVL 1

Author Comment

by:techeez
Comment Utility
So strangely enough... changing the terminals to a static IP instead of using dhcp fixed the problem altogether...  Didn't even have to create the static NAT... no idea why that fixed it, but at least it works consistently now.  Thanks for the suggestions and attempted help lrm, and Sorenson.
0
 
LVL 1

Author Comment

by:techeez
Comment Utility
Just to add... still have the same strange entries in the log so they obviously had nothing to do with the problem.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Interesting. Is the DNS, mask, gateway or anything at all different in the static config from the DHCP config? Be sure to exclude those static IP's from the DHCP scope.

We often see those same type log entries from websites. If you think about it, when you open a web page, graphics and content can actually come from several different sources. Say you open a web page, get tired of waiting for it to load, and go to a different site. What happens to all the graphics and content from the first page that you did request, but just didn't wait for? Your browser closes the sessions, and the firewall turns away whatever didn't make it in time before you switched pages. The result will be the same type message.
0
 
LVL 1

Author Comment

by:techeez
Comment Utility
I configured everything the same as what they would have gotten from DHCP (except the actual IP of course :) )  I had a block of IP's reserved for statics' that are excluded from DHCP...

Very strange though. It's definitely fixed though... 36 hours now without failing on either terminal.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
This video discusses moving either the default database or any database to a new volume.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now