Problem with one website through ASA

Answered Question
Apr 10th, 2010
User Badges:
  • Green, 3000 points or more

Hi All!


I posted this theat before, but here it goes again because the problem is different now.

I just can't figure it out.


We have a new ISP.

They provided us with a new public IP range.


If I connect a computer directly to the router and give my computer the IP 201.193.188.114, I can open www.me.com

If I connect the same machine behind the ASA 5550 running 8.2(2), and assign my machine the same IP 201.193.188.114, the page cannot be displayed. (NATed through the ASA)

This happens always, all the times.

If I try different IPs bypassing the ASA it works, trying the same IPs behind the ASA it does not work.


There's no HTTP inspection enabled.

There's no ACL blocking the traffic.


I did a capture and it shows traffic going out, but never coming back to the ASA?!

How could this be?

If in the same minute, I disconnect the ASA and plug my computer it works!


The Packet Tracer shows the flow of the connection should be permitted by every process.

The sh asp drops are just to excessive to see exactly which one increments each time I attempt to access the page.


Definitely, the ASA is causing the problem here ( I have a lot of experience with the ASA and I'm lost please help me out!)


Thank you!


Federico.

Correct Answer by Kureli Sankar about 7 years 1 month ago

Federico,


Is it possible to stick a hub on the outside and run the ASA and the router into it?

Then use a laptop on the hub and gather wireshark captures so, we can see if me.com even sends a syn ack back to the syn sent from behind the firewall and if so, what mac address the syn ack is being sent to?


Should be simple to do right?


-KS

Correct Answer by silverfoxx about 7 years 1 month ago

Hi Federio,


So your router is simply forwarding all traffic to your FW outside interface connected to it and nothing else?


Why don't you remove the router and put your firewall directly on the internet and try it out by doing same NAT, I believe the problem is between router and firewall comms.


As said please post your config's

Correct Answer by Jennifer Halim about 7 years 1 month ago

Yes, clear the arp on the router/reload the router after you NAT it on the ASA. It will work just fine after.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Jennifer Halim Sat, 04/10/2010 - 04:44
User Badges:
  • Cisco Employee,

Yes, clear the arp on the router/reload the router after you NAT it on the ASA. It will work just fine after.

Kureli Sankar Sat, 04/10/2010 - 16:31
User Badges:
  • Cisco Employee,

When you say you are natting the computer through the ASA to the same IP address are you using nat/global or static 1-1? Not that it matters.


sh xlate debug | i x.x.x.x

shows that it is getting translated to the correct IP that you expect?


Once you configure the translation the firewall will proxy arp for that IP address so, the router upstream should update the MAC address even if it had the PC's MAC from when it was outside.


On the outside routers issue a "sh arp | i x.x.x.x" and see what mac address it shows whether the ASA's outside MAC or the PC's MAC from when it was outside. If you see the PC's MAC then, issue clear arp like halijenn said.


Refer this document that I put together based on your previous thread regarind unable to load certain websites.

https://supportforums.cisco.com/docs/DOC-8982


-KS

Federico Coto F... Sun, 04/11/2010 - 16:03
User Badges:
  • Green, 3000 points or more

Thanks, but the clear arp and rebooting and the problem persists.

I don't see how this would be an arp problem since I can get to any web page, but the one I'm having problems with.


The sh xlate shows the translation taking place correctly. (either using dynamic or static nat).

I went to whatismyip.com and I get translated to the same address (when going through the ASA or when bypassing the ASA).


The only thing I can think of is the TCP MSS which I decrease but same results.


I don't understand why the captures through the ASA, never shows return traffic.

The moment I clear the arp, reload the router, and try with the laptop using the same IP, everything works without a problem.


There are so many increments in the asp drop table that I can't really tell which entry increments when the problem happens.


I have followed the document, and everything that you mentioned there is already checked.


Not sure where to go from here....


Federico.

silverfoxx Mon, 04/12/2010 - 01:38
User Badges:

Hi Federico,


Could you please explain before I can understand it clearly.


1. You said when you connect ur computer directly to the router with IP 201.193.188.114 u can open the website but if you connect the same computer behind ASA 5520 using same IP the page cannot be displayed.


Should I consider that you had put one router connected to the ISP doing NAT for inside traffic using an public IP range supplied by your ISP and you have one ASA connected to the same ISP doing NAT for inside traffic using the same public IP range and you are shifting your computer from router to ASA using same IP or what?


2. do you have a router which is internet facing and ASA behind this router which is then connected to your inside LAN and doing NAT for traffic going outside then how are the IP's configured btw router and firewall and NAT is configured where



3. You can try Packet-Tracer on the ASA to check what happens to the packet once it reaches inside using ASDM or CLI


http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml


http://www.cisco-secure.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1913020

Kureli Sankar Mon, 04/12/2010 - 13:15
User Badges:
  • Cisco Employee,

When you apply captures you see the SYN leave the outside interface destined to me.com but, SYN ACK never arrives when the client is behind the ASA. Is this correct?


Honestly I dont' think it is the ASA.


When you issue "sh cap cap_name detail" which mac address is the ASA sending the SYN to? and who own's this MAC? the router on the outside?


If this checks out then, is the router receiving the SYN ACK from me.com? If so what is it doing with the SYN ACK and not sending it to the firewall?


-KS

Federico Coto F... Tue, 04/13/2010 - 12:34
User Badges:
  • Green, 3000 points or more

Yes,


I can connect to the webpage if I give my computer the public IP directly (just directly connected to the ISP router).
If I connect the ASA and configure a dynamic/static NAT for that same IP to my computer, I cannot longer connect.
Note that I only cannot connect to that page (everything else works, as fas as we have tested).


The packet-tracer shows the connection should be fine.


When I do the captures on the ASA (both on the inside and outside interfaces), I see the SYN getting out but never a reply back.

The ASA is sending the SYN to the outside router.


Here is the weird thing... I don't see the SYN ACK getting back to the router either.


Federico.

silverfoxx Tue, 04/13/2010 - 13:07
User Badges:

Hi Federico,


So you have an internet faced router in front of your ASA and you have configured ASA with dynamic NAT on it.


In this senario you will have following on the ASA


ACL on Inside Interface allowing your computer IP (172.16.0.10) to any destination on port 80

global (outside) which IP you want your computer to become - e.g. public IP provide by ur ISP

nat (inside) From which network the traffic is coming from e.g. 172.16.0.0/16


That is it.


Now do you have any NAT / PAT configured on the router also (which is not likely from you statements) but even if you have; can you paste your configs, if you can that is.


Also while doing the NAT on your ASA try NATTING ur IP to some different IP (if your ISP has provided u set of IP, only then you would be able to do this) what I mean to say is that don't NAT it to the same IP , which you configured on your laptop while connected directly to your router and performing test.


Which router is this?

Federico Coto F... Tue, 04/13/2010 - 13:12
User Badges:
  • Green, 3000 points or more

I've tried it with a 2811 and a 1841.


There's no NAT on this router.

The ISP gave us a WAN and a LAN range of public IP's, which I'm using the LAN range for NAT.


I've tried it with several different IPs from the LAN range with the same behavior.

I've tried several different NAT configurations on the ASA (dynamic NAT/static)


I don't see any changes in doing all of the above.


Federico.

Jennifer Halim Tue, 04/13/2010 - 16:26
User Badges:
  • Cisco Employee,

Please share the router and ASA config when it's not working. Especially the interface, routing, and translation configuration.

Correct Answer
silverfoxx Tue, 04/13/2010 - 22:08
User Badges:

Hi Federio,


So your router is simply forwarding all traffic to your FW outside interface connected to it and nothing else?


Why don't you remove the router and put your firewall directly on the internet and try it out by doing same NAT, I believe the problem is between router and firewall comms.


As said please post your config's

Correct Answer
Kureli Sankar Wed, 04/14/2010 - 12:24
User Badges:
  • Cisco Employee,

Federico,


Is it possible to stick a hub on the outside and run the ASA and the router into it?

Then use a laptop on the hub and gather wireshark captures so, we can see if me.com even sends a syn ack back to the syn sent from behind the firewall and if so, what mac address the syn ack is being sent to?


Should be simple to do right?


-KS

Federico Coto F... Wed, 04/14/2010 - 12:26
User Badges:
  • Green, 3000 points or more

Correct.

I'll try it and let you guys know.


Thank you.


Federico.

Federico Coto F... Sat, 04/17/2010 - 15:47
User Badges:
  • Green, 3000 points or more

Turns out to be an ISP issue.

When I tried to access the web page going through the ASA, I was getting out using the same public IP, but the internal DNS.


When I connected my computer directly to the ISP, I was setting manually a public DNS (4.2.2.2)


Previously, the ISP was not helpful, but finally they told us that there was a problem with their routing.

Not sure what exactly they did and now it is working.


I noticed that using our internal DNS or using a public DNS was resolving a different IP for the web page, and the ISP routing was affecting.


Thank you everybody for trying to help! This forum is great!


Federico.

Actions

This Discussion