Solved

URGENT: Unable to RPC over HTTP thru a Cisco ASA

Posted on 2009-07-10
8
1,561 Views
Last Modified: 2012-05-07
What do I need to disable / enable to allow the traffic for RPC over HTTP? Are there any IPS rules that would block it or something else?

sanitized sh run below

and 2 syslog messges

6      Jul 10 2009      08:30:50      302014      xx.xxx.xxx.xx      HFS1       Teardown TCP connection 2835007 for outside:xx.xx.xx.xx.x/6319 to inside:HFS1/443 duration 0:00:00 bytes 4683 TCP FINs

6      Jul 10 2009      08:30:50      302014      xx.xx.xxx.xx       HFS1       Teardown TCP connection 2835006 for outside:xx.xx.xx.xx/6318 to inside:HFS1/443 duration 0:00:00 bytes 4718 TCP FINs
Result of the command: "sh run"
 

: Saved

:

ASA Version 7.2(2) 

!

hostname HR1

domain-name xxx.local

enable password adgsdgsdg encrypted

names

name 10.215.77.1 HFS1 description File Server

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.215.77.254 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address xx.xx.xx.xx 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxxxxx encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name xxxxxx.Local

object-group service Harvego tcp

 description Ports

 port-object range 3389 3389

 port-object eq www

 port-object eq https

 port-object eq smtp

access-list Outside_in extended permit tcp any interface outside object-group Harvego 

access-list Harvego_splitTunnelAcl standard permit 10.215.77.0 255.255.255.0 

access-list outside_cryptomap_1 extended permit ip 10.215.77.0 255.255.255.0 10.215.76.0 255.255.255.0 inactive 

access-list outside_cryptomap_1 extended permit ip any 10.215.77.8 255.255.255.248 

access-list Harvego_splitTunnelAcl_1 standard permit any 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool xxxxxxxx 10.215.77.10-10.215.77.15 mask 255.255.255.0

ip verify reverse-path interface inside

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list outside_cryptomap_1

nat (inside) 1 10.215.77.0 255.255.255.0

static (inside,outside) tcp interface www HFS1 www netmask 255.255.255.255 

static (inside,outside) tcp interface smtp HFS1 smtp netmask 255.255.255.255 

static (inside,outside) tcp interface https HFS1 https netmask 255.255.255.255 

access-group Outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.x.x.x  1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy DfltGrpPolicy attributes

 banner none

 wins-server value 10.215.77.1

 dns-server value 10.215.77.1

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs enable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list none

 default-domain none

 split-dns value xxxxxx.local 

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy xxxxx internal

group-policy xxxxx attributes

 wins-server value 10.215.77.1

 dns-server value 10.215.77.1 4.2.2.2

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value xxxxxx_splitTunnelAcl

 default-domain value xxxxxx.Local

 split-dns value xxxxx.Local 

username Terry password xxxxxxxxxxxxxxxxx encrypted privilege 5

username admin password xxxxxxxxxxxxxxx encrypted privilege 15

username Melinda password xxxxxxxxxxxx encrypted privilege 5

aaa authentication enable console LOCAL 

aaa authentication http console LOCAL 

aaa authentication serial console LOCAL 

aaa authentication telnet console LOCAL 

aaa authorization command LOCAL 

http server enable

http HFS1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

auth-prompt prompt Authorized Personel Only! 

auth-prompt accept Authentication Accepted@! 

auth-prompt reject Please Try Again. 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key xxxxxx

tunnel-group DefaultWEBVPNGroup webvpn-attributes

 nbns-server 10.215.76.1 master timeout 2 retry 2

tunnel-group Harvego type ipsec-ra

tunnel-group Harvego general-attributes

 address-pool xxxxxxx

 default-group-policy xxxxxx

tunnel-group Harvego ipsec-attributes

 pre-shared-key xxxxxx

telnet HFS1 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

webvpn

 port 444

 enable outside

 csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg

 csd enable

 url-list xxxxxxxxx-Urls "HFS1" cifs://10.215.76.1 1

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command uauth

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context 

Cryptochecksum:25cda6e063576de4d8b72cc8b97ad819

: end

Open in new window

0
Comment
Question by:piotrmikula108
  • 4
  • 4
8 Comments
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Step 1:   Does this work from inside the network?   Have you tested and is it successful?  

Step 2:  Is this an email server you are trying to get to?  CAn you test the http port with a web page or something else?

Step 3:  If the ASA is blocking anything at all, it would show in the logs.   Use the ASDM, console, or a syslog server to view the logs and check for dropped packets etc...


Your ASA has an inspection policy that covers:
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp


IF you still want to eliminate the inspection map you can disable it by using:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008085283d.shtml
Similiar to 'no service-policy global_policy global'


0
 
LVL 1

Author Comment

by:piotrmikula108
Comment Utility
Hello

I don't think I can really test it from inside as it will force a local connection and not a RPC over HTTP

Yes, it's an email server, Small Business Server. I'm able to access thru webmail on port 443.

Don't see any dropped packets only

This is the entire TCP conversation I can see in logs

6      Jul 13 2009      08:00:39      302014      66.205.148.233      HFS1       Teardown TCP connection 2871106 for outside:66.205.xxx.xxx/4722 to inside:HFS1/443 duration 0:00:00 bytes 4718 TCP FINs

6      Jul 13 2009      08:00:39      302014      66.205.xxx.xxx      HFS1       Teardown TCP connection 2871107 for outside:66.205.xxx.xxx/4723 to inside:HFS1/443 duration 0:00:00 bytes 4683 TCP FINs

6      Jul 13 2009      08:00:39      302013      66.205.xxx.xxx      HFS1       Built inbound TCP connection 2871107 for outside:66.205.xxx.xxx/4723 (66.205.xxx.xxx/4723) to inside:HFS1/443 (63.207.xxx.xxx/443)

6      Jul 13 2009      08:00:38      302013      66.205.xxx.xxx      HFS1       Built inbound TCP connection 2871106 for outside:66.205.xxx.xxx/4722 (66.205.xxx.xxx/4722) to inside:HFS1/443 (63.207.xxx.xxx/443)

let me know if you have any other ideas

thank you so much
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
When you try to connect, what are you seeing?    It looks to me like the ASA is passing the traffic ok....  
0
 
LVL 1

Author Comment

by:piotrmikula108
Comment Utility
first of all, I'm unable to configure RPC over HTTP in Outlook, and then I'm unable to even to OWA to that users mailbox, however I'm able to OWA as administrator to the server but not RPC/HTTP

strange
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:piotrmikula108
Comment Utility
I'm getting this when I tun a test from this website https://testexchangeconnectivity.com/


Testing RPC/HTTP connectivity
       RPC/HTTP test failed
      Test Steps
       
      Attempting to Resolve the host name mail.harvego.com in DNS.
       Host successfully Resolved
      Additional Details
       IP(s) returned: 63.207.xxx.xxx
      Testing TCP Port 443 on host mail.xxxxx.com to ensure it is listening/open.
       The port was opened successfully.
      Testing SSL Certificate for validity.
       The certificate passed all validation requirements.
      Test Steps
       
      Validating certificate name
       Successfully validated the certificate name
      Additional Details
       Found hostname mail.xxxx.com in Certificate Subject Common name
      Validating certificate trust
       Certificate is trusted and all certificates are present in chain
      Additional Details
       The Certificate chain has be validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
      Testing certificate date to ensure validity
       Date Validation passed. The certificate is not expired.
      Additional Details
       Certificate is valid: NotBefore = 11/21/2008 3:12:41 PM, NotAfter = 12/14/2011 11:02:15 AM
      Testing Http Authentication Methods for URL https://mail.xxxxxx.com/rpc/rpcproxy.dll
       Http Authentication Test failed
      Additional Details
       Exception Details:
Message: The underlying connection was closed: The connection was closed unexpectedly.
Type: System.Net.WebException
Stack Trace:
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.Tools.ExRca.Tests.HttpAuthMethodsTest.GetSupportedHttpAuthMethods()
at Microsoft.Exchange.Tools.ExRca.Tests.HttpAuthMethodsTest.PerformTestReally()



hmmmm.
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Since it doesn't look like a firewall issue from the logs I see, this might be a little out of my area.    

Have you seen this page:
http://www.msexchange.org/tutorials/Troubleshooting-RPC-over-HTTPS-Part1.html

0
 
LVL 1

Accepted Solution

by:
piotrmikula108 earned 0 total points
Comment Utility
your advise actually helped me rule out that it's indeed not a FW problem, thank you. Something broke on the server and I needed to rerun the Internet Connection Wizard on the SBS box. That restored everything to original settings.
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Well, I'm glad its working for you then....    Happy to help.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now