Cisco ASA5505 blocking website

I am an IT consultant and recently one of my clients using a Cisco ASA5505 firewall stopped being able to use the rental car search through Alaska Airlines website. Checking the logs, I see deny entries for IPs that resolve to AWS. I am guessing that they are doing some sort of hand-off to a cloud server for the search and the firewall blocks it. I verified that this occurs for all my clients using an ASA5505 that try to search for rental cars through that site (hotel searches work), but is not an issue on 5506/5508 so I am guessing it is part of the default config. The default DNS limit is in place: policy-map type inspect dns preset_dns_map > parameters > message-length maximum 512, but the same issue occurred when I removed this limit. Is there an easy way to resolve this without sacrificing security?
fisher_kingAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
>>I am guessing that they are doing some sort of hand-off to a cloud server for the search and the firewall blocks it

I doubt it unless you have WCCP or Websense? or something plugged in the slot on the back of the firewall (AIP-SSC inspection module)

>>I see deny entries for IPs that resolve to AWS

Whats the URL? and what IP are you trying to get to?
0
fisher_kingAuthor Commented:
Thanks for the reply. The URL is based on the search for the rental car. Here's a sample that failed: https://alaskatrips.poweredbygps.com/carsearch?dagv=1&subm=1&fdrp=&styp=4&locn=Anchorage%2C%20AK%20(ANC-Ted%20Stevens%20Anchorage%20Intl.)&rfrr=page.partner.carrental.Wizard&date1=05/05/2018&date2=05/06/2018&vend=&kind=1&time1=1030AM&time2=1030AM&ttyp=2&acop=2&rdus=10&rdct=1

It's long, but according to MS Word it's 275 characters. For this test, there were no deny entries in the ASA log so that's not the issue. I would upload the log, but need to scrub the public IP first.

I will be out of the office the rest of the week, but will try to respond before next week if possible. Thanks again.
0
Pete LongTechnical ConsultantCommented:
TBH - this sounds more like a browser/certificate problem?

the cert on the site is fine.....

Common name: poweredbygps.com
SANs: poweredbygps.com, chains.poweredbygps.com, demo.poweredbygps.com, hawaiian.poweredbygps.co.kr, riuvacations.poweredbygps.com, admin.poweredbygps.com, hawaiian.poweredbygps.co.nz, hawaiian.poweredbygps.co.jp, d-travel.poweredbygps.co.jp, hawaiian.poweredbygps.com, barcelo.poweredbygps.com, poweredbygps.co.uk, alaskatrips.poweredbygps.com, vacationsbymarriott.poweredbygps.com, hawaiian.poweredbygps.com.au, barcelo.poweredbygps.co.uk, chains.poweredbygps.co.uk
Organization: Expedia, Inc.
Location: Bellevue, Washington, US
Valid from February 21, 2018 to September 9, 2018
Serial Number: 0fd2df6f7fb75171c0d48fc4c43597f3
Signature Algorithm: ecdsa-with-SHA256
Issuer: DigiCert ECC Secure Server CA	
Common name: DigiCert ECC Secure Server CA
Organization: DigiCert Inc
Location: US
Valid from March 8, 2013 to March 8, 2023
Serial Number: 0acb28ba465ee53908767470f3cdc612
Signature Algorithm: sha384WithRSAEncryption
Issuer: DigiCert Global Root CA

Open in new window


Can you replicate this problem across multiple browsers, on multiple client machines?
Do you have a Proxy Server?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

fisher_kingAuthor Commented:
Thanks for the reply.

There is no proxy server (at any of my client locations). I was able to run a successful search using IE and Firefox from my computer and server, which are behind an ASA5506. I was unable to run a search from 3 client servers using IE or Firefox, all of which are behind an ASA5505. I am almost certain it is the ASA causing it, but I can't see it in the event log. I will remove all the default inspection code and test. If that solves it, I'll add items back individually to isolate the cause. I'll send an update when I get a chance to test it further.
0
fisher_kingAuthor Commented:
I tried removing all of the following, but the problem remained:

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect dns preset_dns_map
0
Pete LongTechnical ConsultantCommented:
This is all I have set on mine

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect ipsec-pass-thru
  inspect pptp

To be sure its the ASA,

show run access-group

Open in new window


One will be applied you you inside interface in the  'in' direction

i.e.

access-group inside_access_out in interface inside

Remove that by going to configure terminal mode and issuing the same command with a no in front of it, (obviously use your  ACL name and interface name if different). i.e.

no access-group inside_access_out in interface inside

Open in new window


then try again - if it works now ITS THE ASA, if its still broken its not the ASA

Don't forget to turn the ACL back on again, by re-running the above command again, (without the no prefix).

Pete
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fisher_kingAuthor Commented:
It still didn't work with the change. I also found that it's not working behind an ASA5508, so I am now in agreement with you that it's not the ASA. I tried changing the DNS forward (from Goofle to the local ISP), but that didn't solve it either. I will try to contact the website to get their assistance now that I'm certain it's not the ASA. Thanks for your help isolating it.
0
fisher_kingAuthor Commented:
See my last comment
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.