Link to home
Start Free TrialLog in
Avatar of mpwizard
mpwizard

asked on

Cisco ASA 5505 - Connection from DMZ to internal server closed due to connection timeout

Hi!


Our webserver located on the DMZ needs to have a persistent TCP connection to a server located on the inside network.
This connection is a ODBC connection to our database. After 1-2 hours the connection is shutdown by the ASA due to Connection Timout. See log entries below.
I guess it has something to do with timeout connection ?
Is it possible to disable timeouts between two hosts and specified ports?


Log entry;
ct 22 10:18:43 fw0.company.se %ASA-6-302013: Built inbound TCP connection 132988 for dmz:webserver-dmz-ip/1107 (webserver-public-ip/1107) to inside:company-internal-server/2407 (company-internal-server/2407)
Oct 22 10:22:35 fw0.company.se %ASA-6-106015: Deny TCP (no connection) from company-internal-server/2407 to webserver-public-ip/3215 flags ACK  on interface inside
Oct 22 12:29:55 fw0.company.se %ASA-6-302014: Teardown TCP connection 132988 for dmz:webserver-dmz-ip/1107 to inside:company-internal-server/2407 duration 2:11:10 bytes 60135419 Connection timeout
Oct 22 13:20:59 fw0.company.se %ASA-6-106015: Deny TCP (no connection) from webserver-dmz-ip/1107 to company-internal-server/2407 flags PSH ACK  on interface dmz

Running configuration;
fw0# show run
: Saved
:
ASA Version 7.2(4)
!
hostname fw0
domain-name company.se
enable password <removed> encrypted
passwd <removed> encrypted
names
name xxx.xxx.xxx.242 webserver-public-ip description Publik ip till webserver
name 192.168.31.1 company-internal-server description IP till companys interna server
name 192.168.31.250 webserver-inside-ip description Privat IP pa insidan till webserver
name 192.168.0.1 webserver-dmz-ip description Privat IP pa DMZ till webserver
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.31.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.241 255.255.255.192
!
interface Vlan3
 nameif dmz  
 security-level 50
 ip address 192.168.0.254 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
 name-server <removed>
 domain-name company.se
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service web_navision_db tcp
 description Koppling till Navision DB
 port-object eq 2407
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in remark ANY -> WEBSERVER, HTTP
access-list outside_access_in extended permit tcp any host webserver-public-ip eq www
access-list outside_access_in remark ANY -> ANY, ICMP ECHO-REQUEST
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in remark ANY -> ANY, ICMP ECHO-REPLY
access-list outside_access_in extended permit icmp any any echo-reply
access-list inside_access_in remark DMZ -> INSIDE, ICMP ECHO-REPLY
access-list inside_access_in extended permit icmp any 192.168.31.0 255.255.255.0 echo-reply
access-list inside_access_in remark WEBSERVER -> INTERN SERVER, TCP/2407
access-list inside_access_in extended permit tcp host webserver-dmz-ip host company-internal-server eq 2407
access-list inside_access_in remark INSIDE -> DMZ, ICMP-ECHO REQUEST
access-list inside_access_in extended permit icmp 192.168.31.0 255.255.255.0 any echo
access-list inside_access_in remark INSIDE -> OUTSIDE, ANY
access-list inside_access_in extended permit ip 192.168.31.0 255.255.255.0 any
access-list dmz_access_in remark ANY -> DMZ, ICMP-ECHO REQUEST
access-list dmz_access_in extended permit icmp 192.168.31.0 255.255.255.0 192.168.0.0 255.255.255.0 echo
access-list dmz_access_in remark INSIDE -> DMZ, ANY
access-list dmz_access_in extended permit ip 192.168.31.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list dmz_access_in remark DMZ ->ANY, ICMP-ECHO REPLY
access-list dmz_access_in extended permit icmp 192.168.0.0 255.255.255.0 any echo-reply
access-list dmz_access_in remark DMZ -> OUTSIDE, ANY TEMP
access-list dmz_access_in extended permit ip 192.168.0.0 255.255.255.0 any
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host inside 192.168.31.50
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) webserver-public-ip webserver-dmz-ip netmask 255.255.255.255
static (dmz,inside) webserver-public-ip webserver-dmz-ip netmask 255.255.255.255
static (inside,dmz) 192.168.31.0 192.168.31.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.31.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.31.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.31.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 193.13.74.241
!
dhcpd address 192.168.31.110-192.168.31.189 inside
dhcpd dns <removed> <removed> interface inside
dhcpd lease 86400 interface inside
dhcpd domain company.se interface inside
dhcpd enable inside
!

username admin password <removed> encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect http
  inspect ctiqbe
  inspect dcerpc
  inspect dns
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect icmp
  inspect icmp error
  inspect ils
  inspect ipsec-pass-thru
  inspect mgcp
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect snmp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect waas
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:<removed>
: end


Thanks in advance.
CJ
ASKER CERTIFIED SOLUTION
Avatar of harbor235
harbor235
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mpwizard
mpwizard

ASKER

So it should be sufficient to use for example a telnet client on dmz connecting to a server on the inside and immediately disconnecting the connection every 10-15 minutes?

How about policy-maps?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml



Sure, but think about what is going on here, if you increase the timeouts, which means you will keep more flows in your table for a longer time then your security posture is weakened because anyone can now open connections to your inside boxes, terminate them and open more and your FW will not age them out. You use more resouorces and set yourself up for DOS attacks based on resource depletion.

The changes you make effect the application is general, I am not saying do not do it i am saying be careful ant think of the outcome. Trying to do something on the remote end for the one TCP session will not impact the rest of the resources on the firewall like increasing the timers.

harbor235 ;}
Just for clarification; when the ASA tears down a TCP connection due to inactivity, does it send FIN to both endpoints?

Something I wonder about your suggested method; I can't be sure that I "refresh" the right connection because the ODBC driver may have opened multiple connections to the database server?



It's not a proxy it does however perform sequence number randomization for security purposes. So it inspects and passess the traffic through if it is allowed via the security policy and if it expects that traffic in the flow.

i.e you cannot send a FIN through a FW if ther is no flow, it expects the syn, syn ack, ack to be there first

Why does the connection have to stay up? Like I said you can change the timeouts but you are leaving yourself open or you are weakening your security posture.

harbor235 ;}
Why it has to stay up is because some bug in the Navision ODBC driver or in the "php application" used for the site.
We use SiteDirect as web publishing tool, it is a web/PHP based tool.

It seems that ODBC driver doesn't realize that the connection has been torn down because it just keeps on sending data. Normal behaviour should be that ODBC should start up a new connection.
When this happen our customers can't use the webshop and we've to manually restart IIS.  
I updated the ODBC driver and now it seems to work without increasing the time-out.