01-18-2010 07:16 PM - edited 03-11-2019 09:58 AM
Hi All,
I have two ASA 55210 were one ASA is working fine , while second ASA has similar configuration of ASA 1 but we have problem in reverse traffic ,
My TCP connection is established from inside interface to outside interface , while the traffic goes out of outside interface and reaches the destination severs and application services , the return traffic is coming back to ASA firewall on outside interface and get excuted in IOS but its not completing with full TCP connection .My inside interface is not getting any reverse traffic to source IP which has initated the session . So no application is working from this Firewall .
For eg : AT&T MTS application which initates traffic from inside interface reaches the destination server and corresponding application services , while return traffic come back to my firewall outside interface and its allowed inside IOS , but we cant see any TCP get session completed from source which has initated the traffic .
Trouble shooting Done :1) Permitted IP ANY ANY on both Inside and outside interface , But same response ,
2) IOS which is running in ASA 1 and ASA 2 is same IOS , IOS also copied from ASA 1 to ASA 2 but no change.
Help me on this
MY inside INTERFACE of my firewall is not receiving any return traffic whichever the session initated from same interface .
01-18-2010 08:11 PM
Hello,
By default traffic from higher security-level interface is allowed to go to lower security-level interface, and taking into account of the firewall's stateful nature, the ASA remembers the connection (initiated from a higher security-level interface) and allows return traffic automatically. So, if in your case, it is not happening then we may need to look at config and logs occuring at the time of issue.
I have two ASA 55210 were one ASA is working fine , while second ASA has similar configuration of ASA 1 but we have problem in reverse traffic ,
As per your setup is conecrned, it seems like you have two firewalls setup in HA pair. Can you please let us know if the firewall is in active/active or active/standby mode ? If the ASAs are in A/S mode then ONLY one ASA is active at a time and return traffic will be allowed only via the active ASA unit.
So, you will not be able to see the return traffic on standby ASA.
Now, if your TWO ASAs in question are just configured alike and not in HA pair, then, please paste the running-config (mark the ifc where traffic generates) and show version of each box along iwth logs from the problem ASA.
Also, is the topology behind each box the same as well ?
Thanks
Vijaya
01-18-2010 08:35 PM
Hi Vijaya ,
Thanks for your reply , There is no Active and Standby design in my networks , My two firewall r working in active mode alone , I have tested my firewall by connecting a laptop directly to inside interface of ASA , I have tried for exceuting application for eg ( AT&T MTS ) it doesnt works , I have done capture command also it show clearly traffic on inside interface and return traffic for TCP connection on outside interface .
Ping from IOS of firewall to destination server is succesful ,
similalrly outside interface is receiving both inbound and outbound traffic . My inside interface is not recieving any return traffic which initated from inside segment.
Kindly looking for your comments .Thank you
01-18-2010 09:25 PM
Hello,
Can you please point out what kind of application on the OUTSIDE SERVER are you trying to access from users behind ASA ? What ports does it use ?
Because lets say if the application running on the outside server needs to open secondary channels to work properly, then we may need to turn ON inspects for the inbound comnnection to be allowed. For example, lets say outside box is an FTP server and a client on your internal LAN wants to upload a file. After initial control channel communication estabishment ,FTP server will open a data channel on port 20 (active FTP) and to make the ASA remember that the connection TO THE server was initiated from an inside HOST, we will need INSPECT FTP turned "ON" on the ASA.
Also, could you please attach the binary captures for analysis. ?
HTH
Vijaya
01-19-2010 06:57 AM
Hi Vijaya,
I am trying to connect to MTS application by connecting Inside interface of firewall directly to laptop , For service port 443 , kindly find the error log
Jan 17 2010 17:30:09: %ASA-4-106023: Deny tcp src inside:10.77.148.66/1142 dst outside:125.18.17.x443 by access-group "outbound" [0x0, 0x0]
Jan 17 2010 17:30:10: %ASA-4-106023: Deny tcp src inside:10.77.148.66/1142 dst outside:125.18.17.x/443 by access-group "outbound" [0x0, 0x0]
Jan 17 2010 17:30:10: %ASA-4-106023: Deny tcp src inside:10.77.148.66/1142 dst outside:125.18.17.x/443 by access-group "outbound" [0x0, 0x0]
Jan 17 2010 17:31:15: %ASA-4-106023: Deny tcp src inside:10.77.148.66/1152 dst outside:122.248.161.x/443 by access-group "outbound" [0x0, 0x0]
Jan 17 2010 17:31:15: %ASA-4-106023: Deny tcp src inside:10.77.148.66/1152 dst outside:122.248.161.x/443 by access-group "outbound" [0x0, 0x0]
Jan 17 2010 17:31:15: %ASA-4-106023: Deny tcp src inside:10.77.148.66/1152 dst outside:122.248.161.x/443 by access-group "outbound" [0x0, 0x0]
similalry u can also find IP inspect command on my configuration , u also mean IP inspect command to be turned on for all services , which is initated from the firewall . kindly help me on this
01-20-2010 05:27 AM
Hi Viji,
I have given same−security−traffic permit intra−interface were by i have got some good results , Along with this command i have given explict permit ip any any to the interface then only it works .
If i remove permit ip any any command allowing only some limited to access to services n i am not getting connected to services . kindly find the Binaries
packet-tracer input inside rawip 10.77.148.66 80 10.7$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.77.148.64 255.255.255.248 inside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outbound in interface inside
access-list outbound extended permit ip any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 247, packet dispatched to next module
Phase: 7
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.77.148.41 using egress ifc outside
adjacency Active
next-hop mac address 0026.ca1b.65c2 hits 25
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
IF i remove permit ip any any i have Access list for limited resource...
packet-tracer input inside rawip 10.77.148.66 80 10.7$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.77.148.64 255.255.255.248 inside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group outbound in interface inside
access-list outbound extended deny ip any any log
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
were my ACLis there
access-list outbound extended permit tcp host 10.77.148.66 host 10.77.148.41 eq
access-list outbound extended permit tcp object-group QUADRA object-group CA_Cert eq 709
access-list outbound extended permit tcp object-group QUADRA object-group Focus eq www
access-list outbound extended permit tcp object-group QUADRA object-group RIG_Boxes eq www
access-list outbound extended permit tcp object-group QUADRA object-group RIG_Boxes eq 5080
access-list outbound extended permit udp object-group QUADRA object-group RIG_Boxes eq 5081
access-list outbound extended permit tcp object-group QUADRA object-group SIG_Boxes eq https
access-list outbound extended permit tcp object-group QUADRA object-group SIG_Boxes eq www
access-list outbound extended permit udp object-group QUADRA object-group SIG_Boxes eq isakmp
access-list outbound extended permit udp object-group QUADRA object-group SIG_Boxes eq 50
access-list outbound extended permit udp object-group QUADRA object-group SIG_Boxes eq 51
access-list outbound extended permit udp object-group QUADRA object-group SIG_Boxes eq 4500
Help on this is highly apprecitated .
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: