l.yimg.com and Cisco ASA 5505

We are having issues with connecting to yahoo.com, where the connection stalls at l.yimg.com. This seems to be connected to anything that accesses yahoo.com, including their API. From what I can see in the logs, there is a syn timeout for the connections. I'm positively stumped, so any help would be appreciated.

Here is our running config:

ASA Version 7.2(3)
!
hostname ciscoasa
domain-name local.local
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address <<external ip>> 255.0.0.0
!
interface Vlan13
 nameif Logging
 security-level 75
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan33
 nameif Shipping
 security-level 70
 ip address 192.168.4.1 255.255.255.0
!
interface Vlan43
 nameif Database
 security-level 75
 ip address 192.168.5.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 13
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 33
!
interface Ethernet0/5
 switchport access vlan 43
!
interface Ethernet0/6
!
interface Ethernet0/7
!

ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup Logging
dns domain-lookup Database
dns server-group DNS
 name-server 166.102.165.32
 name-server 207.91.5.32
dns server-group DefaultDNS
 name-server 166.102.165.32
 name-server 207.91.5.32
 name-server 192.168.1.2
 domain-name osborne.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Shipping
 description Shipping Machines
 network-object 192.168.4.0 255.255.255.0
object-group network Database
 description Ares
 network-object 192.168.5.0 255.255.255.0
object-group network Clio
 description Logging Interface
 network-object host 192.168.2.2
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list OUT extended permit ip any any
access-list inside_nat0_outbound extended permit ip any host 192.168.2.2
access-list inside_nat0_outbound extended permit ip host 192.168.2.2 any
access-list inside_nat0_outbound extended permit ip object-group Shipping any
access-list inside_nat0_outbound extended permit ip any object-group Shipping
access-list inside_nat0_outbound remark Exempt NAT for the Database Server
access-list inside_nat0_outbound extended permit ip host 192.168.5.2 host 192.168.1.2
access-list inside_nat0_outbound remark Exempt Database from NAT
access-list inside_nat0_outbound extended permit ip any host 192.168.5.2
access-list ANY extended permit ip any any
access-list Logging_access_in extended permit ip any any
access-list Production_access_in extended permit ip any any
access-list Logging_nat_outbound extended permit ip object-group Clio any
access-list Database_access_out extended permit ip any any
access-list Production_nat0_outbound extended permit ip host 192.168.2.2 any
access-list Production_nat0_outbound extended permit ip any host 192.168.2.2
access-list Production_nat0_outbound extended permit ip any host 192.168.5.2
access-list Production_nat0_outbound extended permit ip host 192.168.5.2 any
access-list Production_access_out extended permit ip any any
access-list Shipping_nat0_outbound extended permit ip any host 192.168.2.2
access-list Shipping_nat0_outbound extended permit ip host 192.168.2.2 any
access-list Shipping_nat0_outbound extended permit ip host 192.168.5.2 any
access-list Shipping_nat0_outbound extended permit ip any host 192.168.5.2
access-list Logging_nat0_outbound extended permit ip object-group Clio object-group Shipping
access-list Shipping_access_in extended permit ip any any
access-list Shipping_nat_outbound extended permit ip any any
access-list Database_access_in extended permit ip any any
access-list Database_nat_outbound remark Allows the database to contact the mail server
access-list Database_nat_outbound extended permit ip host 192.168.5.2 any
access-list Production_nat_outbound extended permit ip any any
access-list Database_nat0_outbound extended permit ip host 192.168.5.2 object-group Shipping
access-list inbound extended permit tcp any interface outside eq smtp
access-list debug extended permit tcp any interface outside eq 9000
access-list debug extended permit ip any any inactive
pager lines 24
logging enable
logging timestamp
logging emblem
logging trap debugging
logging asdm informational
logging facility 17
logging host Logging 192.168.2.2 format emblem
logging host Database 192.168.5.2
logging permit-hostdown
logging class auth buffered debugging trap debugging
logging class bridge buffered debugging trap debugging
logging class config trap debugging
logging class ha trap debugging
logging class ids trap debugging
logging class ip trap debugging
logging class np trap debugging
logging class ospf trap debugging
logging class rip trap debugging
logging class rm trap debugging
logging class session trap debugging
logging class snmp trap debugging
logging class sys trap debugging
logging class vpdn trap debugging
logging class vpn trap debugging
logging class vpnc trap debugging
logging class vpnfo trap debugging
logging class webvpn trap debugging
logging class ca buffered debugging trap debugging
logging class email trap debugging
logging class nac trap debugging
logging class eapoudp trap debugging
logging class eap trap debugging
logging rate-limit 25 10 level 1
logging rate-limit 25 10 level 3
logging rate-limit 25 10 level 6
mtu inside 1500
mtu outside 1500
mtu Logging 1500
mtu Shipping 1500
mtu Database 1500
ip verify reverse-path interface Logging
ip verify reverse-path interface Database
ip audit name Information info action alarm drop
ip audit name Attack attack action alarm drop
ip audit interface Logging Information
ip audit interface Logging Attack
ip audit interface Shipping Information
ip audit interface Shipping Attack
no failover
monitor-interface inside
monitor-interface outside
monitor-interface Logging
monitor-interface Shipping
monitor-interface Database
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 interface
global (outside) 1 interface
global (Logging) 1 interface
global (Shipping) 1 interface
global (Database) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Logging) 0 access-list Logging_nat0_outbound
nat (Logging) 1 access-list Logging_nat_outbound
nat (Shipping) 0 access-list Shipping_nat0_outbound
nat (Shipping) 1 access-list Shipping_nat_outbound
nat (Database) 0 access-list Database_nat0_outbound
nat (Database) 1 access-list Database_nat_outbound
static (inside,outside) tcp interface 9000 192.168.1.50 9000 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group debug in interface outside
access-group OUT out interface outside
access-group Logging_access_in in interface Logging
access-group Shipping_access_in in interface Shipping
access-group Database_access_in in interface Database
access-group Database_access_out out interface Database
route outside 0.0.0.0 0.0.0.0 <<external ip>>
route Database 192.168.5.2 255.255.255.255 192.168.5.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
sysopt connection tcpmss 0
service resetinbound interface outside
service resetoutside
telnet timeout 5
ssh 192.168.1.47 255.255.255.255 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcp-client broadcast-flag
dhcp-client update dns server none
dhcpd dns 192.168.1.2
dhcpd lease 86400
dhcpd domain osborne.local
dhcpd auto_config inside
!
dhcpd address 192.168.2.2-192.168.2.2 Logging
dhcpd dns 192.168.1.2 interface Logging
dhcpd domain osborn.local interface Logging
dhcpd auto_config inside interface Logging
dhcpd update dns interface Logging
dhcpd enable Logging
!
dhcpd address 192.168.4.2-192.168.4.10 Shipping
dhcpd dns 192.168.1.2 interface Shipping
dhcpd auto_config inside interface Shipping
dhcpd update dns both override interface Shipping
dhcpd enable Shipping
!
dhcpd address 192.168.5.2-192.168.5.2 Database
dhcpd dns 192.168.1.2 interface Database
dhcpd domain osborne.local interface Database
dhcpd auto_config inside interface Database
dhcpd enable Database
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect http
!
service-policy global_policy global
ntp server 128.192.1.193 source outside prefer
ntp server 128.192.1.9 source outside prefer
ntp server 168.24.81.25 source outside prefer
BakWoodz99Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nothing_ChangedCommented:
First, just to simplify things and reduce unnecesary processing time on your firewall, I suggest removing all of these access groups. As a general rule of thumb, ASA's like to permit or deny anything into interfaces, but unless there is a specific need don't try to limit what comes OUT of an interface. Earlier versions of code (your 7.x code is very old, current is 8.2x) don't even allow it to happen and you may encounter unexpected caveats. Just deleting all of these "access-group out" statements my clear up your issue.

Also, if you apply no ACL to the inside interface, it's default behavior will be to allow any traffic to any lower security interface (which is all of them), so with inside security level at 100, you're good to go. Plus, without any  "access-group out", every interface will by default allow traffic that has already been allowed "into" the firewall to get out where it needs to go. The ASA security model is limiting flows in, not flows out.

no access-group inside_access_in in interface inside
no access-group inside_access_out out interface inside
no access-group OUT out interface outside
no access-group Database_access_out out interface Database


no access-list inside_access_in extended permit ip any any
no access-list inside_access_out extended permit ip any any
no access-list OUT extended permit ip any any
no access-list Database_access_out extended permit ip any any


Please test this and see if it helps your problem. If not, for the the next step we will take a small packet capture at your firewall interface and have a look at the packet flow for that site. We will need the inside IP of the station you will be testing from for an ACL.


PS. Assuming you have a security plus license, I'd strongly recommend upgrading your code image to something higher than 8.2, and the ASDM to a compatible version as well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.