ASA 55210 return traffic is not recieved on inside interface

Unanswered Question
Jan 18th, 2010
User Badges:
  • Silver, 250 points or more

Hi All,

              I have two ASA 55210 were one ASA is working fine , while second ASA has similar configuration of ASA 1 but we have problem in reverse traffic ,



My TCP connection is established from inside interface to outside interface , while the traffic goes out of outside interface and reaches the destination severs and application services  , the return traffic is coming back to ASA firewall on outside interface and get excuted in IOS  but its not completing with full TCP connection .My inside interface is not getting any reverse traffic to source IP which has initated the session . So no application is working from this Firewall .


          For eg : AT&T MTS application which initates traffic from inside interface reaches the destination server and corresponding application services , while return traffic come back to my firewall outside interface and its allowed inside IOS , but we cant see any TCP get session completed from source which has initated the traffic .


Trouble shooting Done :1)  Permitted IP ANY ANY on both Inside and outside interface , But same response ,

                                   2) IOS which is running in ASA 1 and ASA 2 is same IOS , IOS also copied from ASA 1 to ASA 2 but no change.


Help me on this

                                  MY inside INTERFACE of my firewall is not receiving any return traffic whichever the session initated from same interface  .

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vilaxmi Mon, 01/18/2010 - 20:11
User Badges:
  • Cisco Employee,

Hello,


By default traffic from higher security-level interface is allowed to go to lower security-level interface, and taking into account of the firewall's stateful nature, the ASA remembers the connection (initiated from a higher security-level interface) and allows return traffic automatically. So, if in your case, it is not happening then we may need to look at config and logs occuring at the time of issue.


I have two ASA 55210 were one ASA is working fine , while second ASA has similar configuration of ASA 1 but we have problem in reverse traffic ,

As per your setup is conecrned, it seems like you have two firewalls setup in HA pair. Can you please let us know if the firewall is in active/active or active/standby mode ? If the ASAs are in A/S mode then ONLY one ASA is active at a time and return traffic will be allowed only via the active ASA unit.

So, you will not be able to see the return traffic on standby ASA.


Now, if your TWO ASAs in question are just configured alike and not in HA pair, then, please paste the running-config (mark the ifc where traffic generates) and show version of each box along iwth logs from the problem ASA.


Also, is the topology behind each box the same as well ?


Thanks


Vijaya

SANTHOSHKUMAR S... Mon, 01/18/2010 - 20:35
User Badges:
  • Silver, 250 points or more

Hi Vijaya ,

                  Thanks for your reply , There is no Active and Standby design in my networks , My two firewall r working in active mode alone , I have tested my firewall by connecting  a laptop directly to inside interface of ASA , I have tried for exceuting application for eg ( AT&T MTS ) it doesnt works , I have done capture command also it show clearly traffic on inside interface and return traffic for TCP connection on outside interface .


Ping from IOS of firewall to destination server is succesful ,


                      similalrly outside interface is receiving both inbound and outbound traffic . My inside interface is not recieving any return traffic which initated from inside segment.


                              Kindly looking for your comments .Thank you

vilaxmi Mon, 01/18/2010 - 21:25
User Badges:
  • Cisco Employee,

Hello,


Can you please point out what kind of application on the OUTSIDE SERVER are you trying to access from users behind ASA ? What ports does it use ?


Because lets say if the application running on the outside server needs to open secondary channels to work properly, then we may need to turn ON inspects for the inbound comnnection to be allowed. For example, lets say outside box is an FTP server and a client on your internal LAN wants to upload a file. After initial control channel communication estabishment ,FTP server will open a data channel on port 20 (active FTP) and to make the ASA remember that the connection TO THE server was initiated from an inside HOST, we will need INSPECT FTP turned "ON" on the ASA.


Also,  could you please attach the binary captures for analysis. ?


HTH


Vijaya

SANTHOSHKUMAR S... Tue, 01/19/2010 - 06:57
User Badges:
  • Silver, 250 points or more

Hi Vijaya,

                   I am trying to connect to MTS application by connecting Inside interface of firewall directly to laptop , For service port 443 , kindly find the error log



Jan 17 2010 17:30:09: %ASA-4-106023: Deny tcp src inside:10.77.148.66/1142 dst outside:125.18.17.x443 by access-group "outbound" [0x0, 0x0]

Jan 17 2010 17:30:10: %ASA-4-106023: Deny tcp src inside:10.77.148.66/1142 dst outside:125.18.17.x/443 by access-group "outbound" [0x0, 0x0]

Jan 17 2010 17:30:10: %ASA-4-106023: Deny tcp src inside:10.77.148.66/1142 dst outside:125.18.17.x/443 by access-group "outbound" [0x0, 0x0]



Jan 17 2010 17:31:15: %ASA-4-106023: Deny tcp src inside:10.77.148.66/1152 dst outside:122.248.161.x/443 by access-group "outbound" [0x0, 0x0]

Jan 17 2010 17:31:15: %ASA-4-106023: Deny tcp src inside:10.77.148.66/1152 dst outside:122.248.161.x/443 by access-group "outbound" [0x0, 0x0]

Jan 17 2010 17:31:15: %ASA-4-106023: Deny tcp src inside:10.77.148.66/1152 dst outside:122.248.161.x/443 by access-group "outbound" [0x0, 0x0]


                similalry u can also find IP inspect command on my configuration , u also mean IP inspect command to be turned on for all services , which is initated from the firewall . kindly help me on this

SANTHOSHKUMAR S... Wed, 01/20/2010 - 05:27
User Badges:
  • Silver, 250 points or more

Hi Viji,

             I have given same−security−traffic permit intra−interface were by i have got some good results , Along with this command i have given explict  permit ip any any to the interface then only it works .


                    If i remove permit ip any any command allowing only some limited to access to services n i am not getting connected to services . kindly find the Binaries


packet-tracer input inside rawip 10.77.148.66 80 10.7$  


Phase: 1
Type: FLOW-LOOKUP
Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow
Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside
Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.77.148.64    255.255.255.248 inside           
Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outbound in interface inside

access-list outbound extended permit ip any any

Additional Information:
Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:
Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 247, packet dispatched to next module            
Phase: 7

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 10.77.148.41 using egress ifc outside

adjacency Active

next-hop mac address 0026.ca1b.65c2 hits 25


Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow




IF i remove permit ip any any i have Access list for limited resource...



packet-tracer input inside rawip 10.77.148.66 80 10.7$   



Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow


Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside
Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.77.148.64    255.255.255.248 inside
Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group outbound in interface inside

access-list outbound extended deny ip any any log

Additional Information:


Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule


were my ACLis  there


access-list outbound extended permit tcp host 10.77.148.66 host 10.77.148.41 eq

access-list outbound extended permit tcp object-group QUADRA object-group CA_Cert eq 709

access-list outbound extended permit tcp object-group QUADRA object-group Focus eq www

access-list outbound extended permit tcp object-group QUADRA object-group RIG_Boxes eq www

access-list outbound extended permit tcp object-group QUADRA object-group RIG_Boxes eq 5080

access-list outbound extended permit udp object-group QUADRA object-group RIG_Boxes eq 5081
access-list outbound extended permit tcp object-group QUADRA object-group SIG_Boxes eq https
access-list outbound extended permit tcp object-group QUADRA object-group SIG_Boxes eq www
access-list outbound extended permit udp object-group QUADRA object-group SIG_Boxes eq isakmp
access-list outbound extended permit udp object-group QUADRA object-group SIG_Boxes eq 50
access-list outbound extended permit udp object-group QUADRA object-group SIG_Boxes eq 51
access-list outbound extended permit udp object-group QUADRA object-group SIG_Boxes eq 4500


                   Help on this is highly apprecitated .

Actions

This Discussion