[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2573
  • Last Modified:

Cisco, Firewall, ASA, Odd Behavior

I have an App server sitting in a DMZ that talks to a DB server in my inside network.  Most functions work fine, but when I try to run certain reports from the App server the reporting app hangs.  I've noticed that the following log entries show up int the firewall error log, but I'm not entirely sure what they are telling me.  

6|Oct 02 2008|12:55:25|302014|10.2.201.1|5666|10.2.40.30|55051|Teardown TCP connection 349654 for CCHDMZ:10.2.201.1/5666 to inside:10.2.40.30/55051 duration 0:00:00 bytes 2789 TCP FINs
6|Oct 02 2008|12:55:25|302013|10.2.201.1|5666|10.2.40.30|55051|Built outbound TCP connection 349654 for CCHDMZ:10.2.201.1/5666 (10.2.201.1/5666) to inside:10.2.40.30/55051 (10.2.40.30/55051)
6|Oct 02 2008|12:55:20|302014|10.2.201.1|5666|10.2.40.30|55015|Teardown TCP connection 349653 for CCHDMZ:10.2.201.1/5666 to inside:10.2.40.30/55015 duration 0:00:00 bytes 2789 TCP FINs
6|Oct 02 2008|12:55:20|302013|10.2.201.1|5666|10.2.40.30|55015|Built outbound TCP connection 349653 for CCHDMZ:10.2.201.1/5666 (10.2.201.1/5666) to inside:10.2.40.30/55015 (10.2.40.30/55015)
6|Oct 02 2008|12:55:15|106015|10.2.201.1|2891|10.2.40.44|1521|Deny TCP (no connection) from 10.2.201.1/2891 to 10.2.40.44/1521 flags ACK  on interface CCHDMZ
6|Oct 02 2008|12:55:15|106015|10.2.40.44|1521|10.2.201.1|2891|Deny TCP (no connection) from 10.2.40.44/1521 to 10.2.201.1/2891 flags PSH ACK  on interface inside
6|Oct 02 2008|12:55:15|106015|10.2.40.44|1521|10.2.201.1|2891|Deny TCP (no connection) from 10.2.40.44/1521 to 10.2.201.1/2891 flags ACK  on interface inside
6|Oct 02 2008|12:55:15|106015|10.2.40.44|1521|10.2.201.1|2891|Deny TCP (no connection) from 10.2.40.44/1521 to 10.2.201.1/2891 flags PSH ACK  on interface inside
6|Oct 02 2008|12:55:15|302014|10.2.201.1|2891|10.2.40.44|1521|Teardown TCP connection 349647 for CCHDMZ:10.2.201.1/2891 to inside:10.2.40.44/1521 duration 0:00:06 bytes 20381 Flow closed by inspection

The thing that confuses me is that I've opened all traffic between both these servers.  It looks to me like the application might be misbehaving.

Any ideas?
0
ruffalocody
Asked:
ruffalocody
  • 2
1 Solution
 
stsonlineCommented:
Working from the bottom (oldest timestamp), the first entry can be ignored.
The next three entries show denied connections from 10.2.40.44 TCP port 1521 to 10.2.201.1 port 2891.
The next entry shows a denied connection back from 10.2.201.1 port 2891 to 10.2.40.44 port 1521.
The next entry shows a session going up from 10.2.201.1 on TCP port 5666 to 10.2.40.30 on port 55015 with session ID 349653. This session is removed on the next line after less than a second.
The final entry shows the same two systems with the same activity but this time from port 5666 to port 55051.

Nothing indicates a misbehaving application - there does seem to be FW rules needed if the CCHDMZ systems need to talk to the inside systems.
0
 
MikeKaneCommented:
You could always just turn off inspection for that port.

policy-map global_policy
 class inspection_default
  no inspect sqlnet

That will definitely take care of the inspection closed issue.
0
 
ruffalocodyAuthor Commented:
Mike,
Turning off inspection seems to have fixed the problem.  Could you provide me with a little bit of an explanation of the why behind this.  I don't have a very good grasp on the inspection function of the ASA.

Thanks
0
 
MikeKaneCommented:
Here's the document from cisco on the application layer inspection.  
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1347071

Read up on the sqlnet description near the bottom.
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now