• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 35
  • Last Modified:

Cisco ASA5505 blocking website

I am an IT consultant and recently one of my clients using a Cisco ASA5505 firewall stopped being able to use the rental car search through Alaska Airlines website. Checking the logs, I see deny entries for IPs that resolve to AWS. I am guessing that they are doing some sort of hand-off to a cloud server for the search and the firewall blocks it. I verified that this occurs for all my clients using an ASA5505 that try to search for rental cars through that site (hotel searches work), but is not an issue on 5506/5508 so I am guessing it is part of the default config. The default DNS limit is in place: policy-map type inspect dns preset_dns_map > parameters > message-length maximum 512, but the same issue occurred when I removed this limit. Is there an easy way to resolve this without sacrificing security?
0
fisher_king
Asked:
fisher_king
  • 5
  • 3
1 Solution
 
Pete LongTechnical ConsultantCommented:
>>I am guessing that they are doing some sort of hand-off to a cloud server for the search and the firewall blocks it

I doubt it unless you have WCCP or Websense? or something plugged in the slot on the back of the firewall (AIP-SSC inspection module)

>>I see deny entries for IPs that resolve to AWS

Whats the URL? and what IP are you trying to get to?
0
 
fisher_kingAuthor Commented:
Thanks for the reply. The URL is based on the search for the rental car. Here's a sample that failed: https://alaskatrips.poweredbygps.com/carsearch?dagv=1&subm=1&fdrp=&styp=4&locn=Anchorage%2C%20AK%20(ANC-Ted%20Stevens%20Anchorage%20Intl.)&rfrr=page.partner.carrental.Wizard&date1=05/05/2018&date2=05/06/2018&vend=&kind=1&time1=1030AM&time2=1030AM&ttyp=2&acop=2&rdus=10&rdct=1

It's long, but according to MS Word it's 275 characters. For this test, there were no deny entries in the ASA log so that's not the issue. I would upload the log, but need to scrub the public IP first.

I will be out of the office the rest of the week, but will try to respond before next week if possible. Thanks again.
0
 
Pete LongTechnical ConsultantCommented:
TBH - this sounds more like a browser/certificate problem?

the cert on the site is fine.....

Common name: poweredbygps.com
SANs: poweredbygps.com, chains.poweredbygps.com, demo.poweredbygps.com, hawaiian.poweredbygps.co.kr, riuvacations.poweredbygps.com, admin.poweredbygps.com, hawaiian.poweredbygps.co.nz, hawaiian.poweredbygps.co.jp, d-travel.poweredbygps.co.jp, hawaiian.poweredbygps.com, barcelo.poweredbygps.com, poweredbygps.co.uk, alaskatrips.poweredbygps.com, vacationsbymarriott.poweredbygps.com, hawaiian.poweredbygps.com.au, barcelo.poweredbygps.co.uk, chains.poweredbygps.co.uk
Organization: Expedia, Inc.
Location: Bellevue, Washington, US
Valid from February 21, 2018 to September 9, 2018
Serial Number: 0fd2df6f7fb75171c0d48fc4c43597f3
Signature Algorithm: ecdsa-with-SHA256
Issuer: DigiCert ECC Secure Server CA	
Common name: DigiCert ECC Secure Server CA
Organization: DigiCert Inc
Location: US
Valid from March 8, 2013 to March 8, 2023
Serial Number: 0acb28ba465ee53908767470f3cdc612
Signature Algorithm: sha384WithRSAEncryption
Issuer: DigiCert Global Root CA

Open in new window


Can you replicate this problem across multiple browsers, on multiple client machines?
Do you have a Proxy Server?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
fisher_kingAuthor Commented:
Thanks for the reply.

There is no proxy server (at any of my client locations). I was able to run a successful search using IE and Firefox from my computer and server, which are behind an ASA5506. I was unable to run a search from 3 client servers using IE or Firefox, all of which are behind an ASA5505. I am almost certain it is the ASA causing it, but I can't see it in the event log. I will remove all the default inspection code and test. If that solves it, I'll add items back individually to isolate the cause. I'll send an update when I get a chance to test it further.
0
 
fisher_kingAuthor Commented:
I tried removing all of the following, but the problem remained:

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect dns preset_dns_map
0
 
Pete LongTechnical ConsultantCommented:
This is all I have set on mine

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect ipsec-pass-thru
  inspect pptp

To be sure its the ASA,

show run access-group

Open in new window


One will be applied you you inside interface in the  'in' direction

i.e.

access-group inside_access_out in interface inside

Remove that by going to configure terminal mode and issuing the same command with a no in front of it, (obviously use your  ACL name and interface name if different). i.e.

no access-group inside_access_out in interface inside

Open in new window


then try again - if it works now ITS THE ASA, if its still broken its not the ASA

Don't forget to turn the ACL back on again, by re-running the above command again, (without the no prefix).

Pete
0
 
fisher_kingAuthor Commented:
It still didn't work with the change. I also found that it's not working behind an ASA5508, so I am now in agreement with you that it's not the ASA. I tried changing the DNS forward (from Goofle to the local ISP), but that didn't solve it either. I will try to contact the website to get their assistance now that I'm certain it's not the ASA. Thanks for your help isolating it.
0
 
fisher_kingAuthor Commented:
See my last comment
1

Join & Write a Comment

Featured Post

Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now