Solved

ASA 5510 can't access one web site, all others fine

Posted on 2014-04-24
17
1,469 Views
Last Modified: 2014-04-25
By no means an ASA expert, someone else configured it for us.  Anyways, here is my problem.  I can access every site on the Internet except one.

I can access the site in question using another ISP, but not from my main LAN feed.  I called our ISP and they indicated everything was fine with them.  As a test I connected a laptop outside our firewall, directly to our Internet router.  When I did that I can magically access the site!  This means our ISP is correct and the issue isn't on their end, it seems to be something in our ASA config that is causing the problem.

I have tried logging our ASA while trying to access from my desktop and I am seeing the following error:

....duration 0:00:30 bytes 0 SYN Timeout

a few seconds later I see:

....flags RST  on interface outside

The timeout message is usually displayed after approximately 30 seconds. The RST error message about 15 seconds after that.

I can't find anything in our configuration specifying something different for this IP address, so I don't know why the ASA is dropping packets to it.  As I said, if I move my machine to the network which the outside interface is using, I can connect up no problem.

Any suggestions on this?  It's really puzzling this occurs with this one web site only.

Feedback appreciated.
0
Comment
Question by:DrakeCA
  • 7
  • 7
  • 2
  • +1
17 Comments
 
LVL 10

Expert Comment

by:Rafael
Comment Utility
Is that IP listed in any polices that are preventing or blocking it?
From the CLI execute "sh access-group" and see if the IP is tied to any acls.

Also, here is a ASA Link to Cisco on allowing or blocking an IP as well as the whole book if needed.  

This is minor and should get you taken care of.

-Rafael
0
 
LVL 9

Expert Comment

by:BigPapaGotti
Comment Utility
Can you tell us what the website/IP address is that you are trying to get to as well as post your running configuration of the ASA. If so be sure to sanitize the configuration so we do not see any external IP addresses and password
0
 
LVL 6

Expert Comment

by:Hassan Besher
Comment Utility
show me the result of the following command + #sh run for asa :

CiscoASA# packet-tracer input inside tcp [ONE OF YOUR INSIDE IPs] 54444 [DESTINATION WEB SERVER IP ADDRESS] http detailed
0
 

Author Comment

by:DrakeCA
Comment Utility
The IP address doesn't show up in any ACL.  I checked this before, but just verified again.
0
 

Author Comment

by:DrakeCA
Comment Utility
Here are the results of the packet-tracer command:

Result of the command: "packet-tracer input inside tcp 10.79.5.71 54444 203.143.82.157 http detailed"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd56709a0, priority=1, domain=permit, deny=false
      hits=1896210657, user_data=0x0, cs_id=0x0, l3_type=0x8
      src mac=0000.0000.0000, mask=0000.0000.0000
      dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip 10.79.5.0 255.255.255.0 any
access-list inside_access_in remark Alllow connections for PPTP
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd581ac88, priority=12, domain=permit, deny=false
      hits=19473753, user_data=0xd581ac48, cs_id=0x0, flags=0x0, protocol=0
      src ip=10.79.5.0, mask=255.255.255.0, port=0
      dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd5673470, priority=0, domain=permit-ip-option, deny=true
      hits=86779213, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
      src ip=0.0.0.0, mask=0.0.0.0, port=0
      dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (38.112.X.X)
    translate_hits = 31246392, untranslate_hits = 1534368
Additional Information:
Dynamic translate Craig_Temp/54444 to 38.112.X.X/63078 using netmask 255.255.255.255
 Forward Flow based lookup yields rule:
 in  id=0xd57ba930, priority=1, domain=nat, deny=false
      hits=31256400, user_data=0xd5796060, cs_id=0x0, flags=0x0, protocol=0
      src ip=0.0.0.0, mask=0.0.0.0, port=0
      dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (38.112.X.X)
    translate_hits = 31246392, untranslate_hits = 1534368
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd5682b90, priority=1, domain=host, deny=false
      hits=53690755, user_data=0xd5796060, cs_id=0x0, reverse, flags=0x0, protocol=0
      src ip=0.0.0.0, mask=0.0.0.0, port=0
      dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd55c6f50, priority=0, domain=permit-ip-option, deny=true
      hits=60615266, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
      src ip=0.0.0.0, mask=0.0.0.0, port=0
      dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 92440388, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 38.112.X.Y using egress ifc outside
adjacency Active
next-hop mac address 0030.190e.ff30 hits 29005

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
0
 
LVL 6

Expert Comment

by:Hassan Besher
Comment Utility
it looks good to me,
OK let us capture traffic between 10.79.5.71 and your web server:

#access-list testcap extended permit ip host 10.79.5.71 host 203.143.82.157
#capture testcap interface inside

- open your browser from 10.79.5.71  to the web server, then after it timed out

#no capture testcap

then give me the result in any way:

1)https://ASA_INTERNAL_IP/admin/capture/testcap

OR

2) # show capture testcap

I wil need to see your #sh run too!
0
 

Author Comment

by:DrakeCA
Comment Utility
I tried running the commands above and it accepted everything, except the last one.  I get a response:

ERROR: Capture <testcap> does not exist
0
 
LVL 6

Expert Comment

by:Hassan Besher
Comment Utility
# sh run
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Expert Comment

by:Hassan Besher
Comment Utility
0
 

Author Comment

by:DrakeCA
Comment Utility
OK.

This is what I get using the wizard on the inside interface:

9 packets captured
   1: 13:53:55.077220 10.79.5.71.51567 > 203.143.82.157.80: S 3687529814:3687529814(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
   2: 13:53:55.077480 10.79.5.71.51568 > 203.143.82.157.80: S 1847966989:1847966989(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
   3: 13:53:58.075435 10.79.5.71.51568 > 203.143.82.157.80: S 1847966989:1847966989(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
   4: 13:53:58.078395 10.79.5.71.51567 > 203.143.82.157.80: S 3687529814:3687529814(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
   5: 13:54:04.081782 10.79.5.71.51567 > 203.143.82.157.80: S 3687529814:3687529814(0) win 8192 <mss 1460,nop,nop,sackOK>
   6: 13:54:04.081813 10.79.5.71.51568 > 203.143.82.157.80: S 1847966989:1847966989(0) win 8192 <mss 1460,nop,nop,sackOK>
   7: 13:54:16.081752 10.79.5.71.51593 > 203.143.82.157.80: S 4203007611:4203007611(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
   8: 13:54:19.080821 10.79.5.71.51593 > 203.143.82.157.80: S 4203007611:4203007611(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
   9: 13:54:25.077205 10.79.5.71.51593 > 203.143.82.157.80: S 4203007611:4203007611(0) win 8192 <mss 1460,nop,nop,sackOK>
9 packets shown
0
 
LVL 6

Expert Comment

by:Hassan Besher
Comment Utility
#show asp drop
0
 

Author Comment

by:DrakeCA
Comment Utility
Result of the command: "sh asp drop"

Frame drop:
  Invalid encapsulation (invalid-encap)                                      525
  Invalid TCP Length (invalid-tcp-hdr-length)                                214
  Invalid UDP Length (invalid-udp-length)                                      8
  Flow is denied by configured rule (acl-drop)                          21494160
  Invalid SPI (np-sp-invalid-spi)                                              1
  First TCP packet not SYN (tcp-not-syn)                                 2922037
  Bad TCP flags (bad-tcp-flags)                                               85
  TCP data send after FIN (tcp-data-past-fin)                                 40
  TCP failed 3 way handshake (tcp-3whs-failed)                             67095
  TCP RST/FIN out of order (tcp-rstfin-ooo)                              1907454
  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                         25701
  TCP SYNACK on established conn (tcp-synack-ooo)                            103
  TCP packet SEQ past window (tcp-seq-past-win)                            30140
  TCP invalid ACK (tcp-invalid-ack)                                         3557
  TCP ACK in 3 way handshake invalid (tcp-discarded-ooo)                      42
  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)                  2
  TCP RST/SYN in window (tcp-rst-syn-in-win)                              120829
  TCP packet failed PAWS test (tcp-paws-fail)                             200036
  CTM returned error (ctm-error)                                               1
  IPSEC tunnel is down (ipsec-tun-down)                                       25
  Slowpath security checks failed (sp-security-failed)                     46918
  Expired flow (flow-expired)                                                  3
  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)          6
  ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)                                   108
  DNS Inspect invalid packet (inspect-dns-invalid-pak)                       709
  DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)         16
  DNS Inspect packet too long (inspect-dns-pak-too-long)                      33
  DNS Inspect id not matched (inspect-dns-id-not-matched)                   2795
  FP L2 rule drop (l2_acl)                                              40112675
  Interface is down (interface-down)                                           5
  Dropped pending packets in a closed socket (np-socket-closed)            17606

Last clearing: Never

Flow drop:
  NAT failed (nat-failed)                                                    162
  NAT reverse path failed (nat-rpf-failed)                                    28
  Need to start IKE negotiation (need-ike)                                   748
  Inspection failure (inspect-fail)                                       190300
  SSL bad record detected (ssl-bad-record-detect)                             71
  SSL handshake failed (ssl-handshake-failed)                                 54
  SSL malloc error (ssl-malloc-error)                                          9
  SSL received close alert (ssl-received-close-alert)                          2

Last clearing: Never
0
 
LVL 6

Expert Comment

by:Hassan Besher
Comment Utility
well it's become more confusing now!, i have some doubts about mss and I really not sure if it's going to fix this case or not but let's try:

ASA(config)#access-list http-list2 permit tcp any any
ASA(config)#
ASA#configure terminal
ASA(config)#
ASA(config)#class-map http-map1
ASA(config-cmap)#match any    
ASA(config-cmap)#exit
ASA(config)#tcp-map mss-map
ASA(config-tcp-map)#exceed-mss allow
ASA(config-tcp-map)#exit
ASA(config)#policy-map http-map1
ASA(config-pmap)#class http-map1
ASA(config-pmap-c)#set connection advanced-options mss-map
ASA(config-pmap-c)#exit
ASA(config-pmap)#exit
ASA(config)#service-policy http-map1 global
0
 

Author Comment

by:DrakeCA
Comment Utility
I am hesitant to add more complexity to our system.  Currently I can't ping the IP of the web server from inside our network, but I can ping it from the other side of the ASA.  From what I read I believe MSS only relates to HTTP traffic.

Thoughts??

P.S.  I truly appreciate your efforts so far, I've learned some new ways to get info out of the ASA which will come in helpful down the road.
0
 
LVL 6

Accepted Solution

by:
Hassan Besher earned 500 total points
Comment Utility
just save your current stable config and apply the above commands if it's still no difference then reboot your ASA to convert to your old stable config, just my 2 cents!
0
 
LVL 9

Expert Comment

by:BigPapaGotti
Comment Utility
What is the website that you are trying to visit, the complete URL will be most helpful? Is it using port 80 or another port? Are you able to provide us with a sanitized running configuration of your ASA?

By default the ASA will block pings (icmp) so you would need to adjust your ACL's in order to get this to work, but more importantly we need to focus on what the issue is with the website and your internal network. Do you have any IPS Sensor on your ASA 5510?
0
 

Author Comment

by:DrakeCA
Comment Utility
Hi guys, time for an update.

Even though I asked the remote site multiple times, and they insisted everyting was fine on their end, they finally had a senior engineer look at their firewall.  Apparently someone had added our firewall's IP address to a blacklist and it was blocking our access.  As soon as he took it out I could magically access the site.

Sorry for wasting everyone's time yesterday, I do appreciate all efforts on this!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now