Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8134
Views
10
Helpful
24
Replies

ASA 5510 Internal Routing Problem

Go to solution
peterhammerl
Level 1
Level 1

‎01-24-2012 07:11 AM - edited ‎03-11-2019 03:18 PM

I am having a problem where my (newly setup) ASA 5510 is closing TCP connections for data routed to another router on my internal network.  Here is a diagram of how its setup:

Layout.jpg

Here is my running conf on the ASA (some bits censored):

Result of the command: "show run"

: Saved

:

ASA Version 8.4(3)

!

hostname HPAFW01

domain-name SNIP

enable password SNIP

passwd SNIP

names

name 192.168.7.26 Spam_Firewall

name 192.168.12.0 xxxSt_VideoSec description xxx St Video/Security

name 192.168.8.0 Phone_System-network description Phone System

name 192.168.6.0 Inside-network description Main Network

name 192.168.11.0 EnduraSM-network description Endura System Manager

name 192.168.15.0 Data-network1 description Data1

name 192.168.13.0 Video-network1 description Video/Security1

name 192.168.16.0 Data-network2 description Data2

name 192.168.14.0 Video-network2 description Video/Security2

name 192.168.7.11 FTP_Server description FTP Server

name 192.168.7.17 Mail_Server

name 192.168.6.1 yyy description yyy

name 192.168.6.2 zzz description zzz

name 192.168.7.12 HPA02

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address x.x.x.x 255.255.255.240

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.7.20 255.255.254.0

!

interface Ethernet0/2

nameif Phone_System

security-level 100

ip address 192.168.8.254 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name abc.ca

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network MainNetwork

subnet 192.168.6.0 255.255.254.0

object network HPA02

host 192.168.7.12

object network Phone_System-network

subnet 192.168.8.0 255.255.255.0

description Created during name migration

object network HPA01

host 192.168.7.11

description FTP Server

object network xxx

host 192.168.6.1

description xxx

object network HPA07

host 192.168.7.17

description Mail Server

object network Pelco_Endura-Network

subnet 192.168.11.0 255.255.255.0

description Endura System Manager

object network Data-Network1

subnet 192.168.15.0 255.255.255.0

description Data Network 1

object network Security-Network1

subnet 192.168.13.0 255.255.255.0

description Sec Network 1

object network Data-Network2

subnet 192.168.16.0 255.255.255.0

description Data Network 2

object network Security-Network2

subnet 192.168.14.0 255.255.255.0

description Sec Network 2

object network Cisco-Management-Network

subnet 192.168.1.0 255.255.255.0

object network xxx

host 192.168.6.2

description xxx

object network SpamFirewall

host 192.168.7.26

description Barracuda Spam Firewall

object network HTTP

host 192.168.7.26

object network msrdp

host 192.168.6.5

object network HPA03

host 192.168.7.13

object network Ping

subnet 192.168.6.0 255.255.254.0

object network HTTP-In-HPA10

host 192.168.6.4

object network NAT-HPA01-FTP-In

host 192.168.7.11

object network NAT-HPA01-FTPData-In

host 192.168.7.11

object service FTPData50000-50010

service tcp source range 50000 50010 destination range 50000 50010

object network NAT-HPA03-PPTP-In

host 192.168.7.13

object network NAT-HPA07-HTTPS-In

host 192.168.7.17

object network NAT-Barracuda-SMTP-In

host 192.168.7.26

object network NAT-HPA07-DrOfficeSMTP-In

host 192.168.7.17

object network NAT-HPA07-HTTPSSPOWA-In

host 192.168.7.17

object network NAT-HPA07-HTTPSIntranet-In

host 192.168.7.17

object network NAT-HPA07-HTTPS2-In

host 192.168.7.17

object network DrOffice

host a.a.a.a

object network DrOffice2

host b.b.b.b

object network HPA07-IP2

host 192.168.7.37

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq www

object-group network DM_INLINE_NETWORK_1

network-object object HPA_MainNetwork

network-object object Pelco_Endura-Network

network-object object Data-Network1

network-object object Security-Network1

network-object object Data-Network2

network-object object Security-Network2

object-group network DM_INLINE_NETWORK_2

network-object object xxx

network-object object yyy

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCPUDP_1 tcp-udp

port-object eq 2252

port-object eq 5685

object-group service DM_INLINE_TCP_2 tcp

port-object range 50000 50010

port-object eq 990

object-group network DM_INLINE_NETWORK_12

network-object object DrOwsianik

network-object object DrPray

object-group service DM_INLINE_TCP_3 tcp

port-object eq 8000

port-object eq 8008

port-object eq 8332

port-object eq 8333

port-object eq 8480

object-group network DM_INLINE_NETWORK_14

network-object object HPA07

network-object object HPA07-IP2

access-list Inside_access_in remark Allow DNS Out

access-list Inside_access_in extended permit object-group TCPUDP any any eq domain log disable

access-list Inside_access_in remark Allow HTTP Out

access-list Inside_access_in extended permit tcp any any eq www log disable

access-list Inside_access_in remark Allow HTTPS Out

access-list Inside_access_in extended permit tcp any any eq https log disable

access-list Inside_access_in remark Allow FTP Out

access-list Inside_access_in extended permit tcp any any eq ftp log disable

access-list Inside_access_in remark Allow SSH Out

access-list Inside_access_in extended permit tcp any any eq ssh log disable

access-list Inside_access_in remark Allow SMTP Out

access-list Inside_access_in extended permit tcp any any eq smtp log disable

access-list Inside_access_in remark Allow Whois Out

access-list Inside_access_in extended permit tcp any any eq whois log disable

access-list Inside_access_in remark Allow Port 81 Out

access-list Inside_access_in extended permit tcp any any eq 81 log disable

access-list Inside_access_in remark Allow POP3 out for xxx

access-list Inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any eq pop3 log disable

access-list Inside_access_in remark Allow Blackberry BES Out

access-list Inside_access_in extended permit tcp any any eq 3101 log disable

access-list Inside_access_in remark Allow MSRDP Out

access-list Inside_access_in extended permit tcp any any eq 3389 log disable

access-list Inside_access_in remark Allow Port 8000 Out

access-list Inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_3 log disable

access-list Inside_access_in remark Allow Interac Machines Out

access-list Inside_access_in extended permit tcp any any eq 8013 log disable

access-list Inside_access_in remark Allow Network Time Out

access-list Inside_access_in extended permit udp any any eq ntp log disable

access-list Inside_access_in remark Allow AIS Out

access-list Inside_access_in extended permit object-group TCPUDP any any object-group DM_INLINE_TCPUDP_1 log disable

access-list Inside_access_in remark Allow SFTP Out

access-list Inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_2 log disable

access-list Inside_access_in remark Allow Traceroute Out

access-list Inside_access_in extended permit icmp any any traceroute log disable

access-list Inside_access_in extended permit icmp any any echo log disable

access-list Inside_access_in extended permit udp any any eq time log disable

access-list Inside_access_in remark Allow Access to Phone System

access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any log disable

:SNIPPED OUT FOR SECURITY

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu Phone_System 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (any,Outside) source static NAT-HPA01-FTPData-In interface service FTPData50000-50010 FTPData50000-50010

!

object network HPA_MainNetwork

nat (Inside,Outside) dynamic interface

object network NAT-HPA01-FTP-In

nat (any,Outside) static interface service tcp ftp ftp

object network NAT-HPA03-PPTP-In

nat (any,Outside) static interface service tcp pptp pptp

object network NAT-HPA07-HTTPS-In

nat (any,Outside) static interface service tcp https https

object network NAT-Barracuda-SMTP-In

nat (any,Outside) static interface service tcp smtp smtp

object network NAT-HPA07-DrOSMTP-In

nat (any,any) static y.y.y.y service tcp smtp smtp

object network NAT-HPA07-HTTPSSPOWA-In

nat (any,any) static y.y.y.y service tcp 444 444

object network NAT-HPA07-HTTPSIntranet-In

nat (any,any) static y.y.y.y service tcp https https

object network NAT-HPA07-HTTPS2-In

nat (any,any) static y.y.y.y service tcp www www

access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

access-group Phone_System_access_in in interface Phone_System

route Outside 0.0.0.0 0.0.0.0 z.z.z.z 10 :Routes to external Gateway

route Inside 192.168.9.0 255.255.255.0 192.168.7.29 1

route Inside EnduraSM-network 255.255.255.0 192.168.7.29 1

route Inside MainOffice_VideoSec 255.255.255.0 192.168.7.29 1

route Inside Video-network1 255.255.255.0 192.168.7.29 1

route Inside Video-network2 255.255.255.0 192.168.7.29 1

route Inside Data-network1 255.255.255.0 192.168.7.29 1

route Inside Data-network2 255.255.255.0 192.168.7.29 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http Inside-network 255.255.254.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 0

telnet Inside-network 255.255.254.0 Inside

telnet timeout 5

ssh Inside-network 255.255.254.0 Inside

ssh timeout 5

console timeout 0

management-access Inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 132.246.11.227 source Outside prefer

webvpn

!

class-map global-class

match access-list global_mpc

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class global-class

  csc fail-open

!

service-policy global_policy global

prompt hostname context

: end

The router/switch at 192.168.7.29 (its an HP) has its default route set to the ASA and knows about all the networks connected to it.

The problem I am having is lets say I am sitting on my 192.168.6.0/23 network and want to send some data (or receive) from the 192.168.12.0/24 network.  Packets not requiring the 3 step handshake work perfectly (eg, I can ping the 12.0/24 network and get a reply no problem).  Any HTTP or other TCP connection gets immediately built and dropped by the ASA.  Here is an excerpt of the log (from last night):

6|Jan 23 2012|18:20:09|302015|HPA02|53|192.168.12.10|64374|Built inbound UDP connection 27987 for Inside:HPA02/53 (HPA02/53) to Inside:192.168.12.10/64374 (192.168.12.10/64374)

6|Jan 23 2012|18:20:09|302015|FTP_Server|53|192.168.12.10|64374|Built inbound UDP connection 27986 for Inside:FTP_Server/53 (FTP_Server/53) to Inside:192.168.12.10/64374 (192.168.12.10/64374)

6|Jan 23 2012|18:20:09|302016|HPA02|53|192.168.12.10|62344|Teardown UDP connection 27984 for Inside:HPA02/53 to Inside:192.168.12.10/62344 duration 0:00:00 bytes 0

6|Jan 23 2012|18:20:09|302016|FTP_Server|53|192.168.12.10|62344|Teardown UDP connection 27983 for Inside:FTP_Server/53 to Inside:192.168.12.10/62344 duration 0:00:00 bytes 0

6|Jan 23 2012|18:20:09|302016|HPA02|53|192.168.13.178|55282|Teardown UDP connection 27980 for Inside:HPA02/53 to Inside:192.168.13.178/55282 duration 0:00:00 bytes 0

6|Jan 23 2012|18:20:09|302016|FTP_Server|53|192.168.13.178|55282|Teardown UDP connection 27979 for Inside:FTP_Server/53 to Inside:192.168.13.178/55282 duration 0:00:00 bytes 0

6|Jan 23 2012|18:20:09|302016|HPA02|53|192.168.13.10|57948|Teardown UDP connection 27978 for Inside:HPA02/53 to Inside:192.168.13.10/57948 duration 0:00:00 bytes 0

6|Jan 23 2012|18:20:09|302016|FTP_Server|53|192.168.13.10|57948|Teardown UDP connection 27977 for Inside:FTP_Server/53 to Inside:192.168.13.10/57948 duration 0:00:00 bytes 0

6|Jan 23 2012|18:20:08|106015|192.168.13.104|1720|192.168.8.1|61444|Deny TCP (no connection) from 192.168.13.104/1720 to 192.168.8.1/61444 flags ACK  on interface Inside

6|Jan 23 2012|18:20:08|302015|HPA02|53|192.168.12.10|62344|Built inbound UDP connection 27984 for Inside:HPA02/53 (HPA02/53) to Inside:192.168.12.10/62344 (192.168.12.10/62344)

6|Jan 23 2012|18:20:08|302015|FTP_Server|53|192.168.12.10|62344|Built inbound UDP connection 27983 for Inside:FTP_Server/53 (FTP_Server/53) to Inside:192.168.12.10/62344 (192.168.12.10/62344)

6|Jan 23 2012|18:20:08|302014|192.168.7.16|56861|192.168.14.203|3001|Teardown TCP connection 27773 for Inside:192.168.7.16/56861 to Inside:192.168.14.203/3001 duration 0:00:30 bytes 0 SYN Timeout

6|Jan 23 2012|18:20:08|302013|192.168.7.16|57187|192.168.14.203|3001|Built inbound TCP connection 27982 for Inside:192.168.7.16/57187 (192.168.7.16/57187) to Inside:192.168.14.203/3001 (192.168.14.203/3001)

6|Jan 23 2012|18:20:08|106015|192.168.13.104|1720|192.168.8.1|61440|Deny TCP (no connection) from 192.168.13.104/1720 to 192.168.8.1/61440 flags ACK  on interface Inside

6|Jan 23 2012|18:20:08|302015|HPA02|53|192.168.13.178|55282|Built inbound UDP connection 27980 for Inside:HPA02/53 (HPA02/53) to Inside:192.168.13.178/55282 (192.168.13.178/55282)

6|Jan 23 2012|18:20:08|302015|FTP_Server|53|192.168.13.178|55282|Built inbound UDP connection 27979 for Inside:FTP_Server/53 (FTP_Server/53) to Inside:192.168.13.178/55282 (192.168.13.178/55282)

6|Jan 23 2012|18:20:08|302015|HPA02|53|192.168.13.10|57948|Built inbound UDP connection 27978 for Inside:HPA02/53 (HPA02/53) to Inside:192.168.13.10/57948 (192.168.13.10/57948)

6|Jan 23 2012|18:20:08|302015|FTP_Server|53|192.168.13.10|57948|Built inbound UDP connection 27977 for Inside:FTP_Server/53 (FTP_Server/53) to Inside:192.168.13.10/57948 (192.168.13.10/57948)

6|Jan 23 2012|18:20:08|302014|192.168.7.16|56860|192.168.13.207|3001|Teardown TCP connection 27765 for Inside:192.168.7.16/56860 to Inside:192.168.13.207/3001 duration 0:00:30 bytes 0 SYN Timeout

6|Jan 23 2012|18:20:08|302013|192.168.7.16|57186|192.168.13.207|3001|Built inbound TCP connection 27976 for Inside:192.168.7.16/57186 (192.168.7.16/57186) to Inside:192.168.13.207/3001 (192.168.13.207/3001)

6|Jan 23 2012|18:20:08|302016|HPA02|53|192.168.12.10|64374|Teardown UDP connection 27972 for Inside:HPA02/53 to Inside:192.168.12.10/64374 duration 0:00:00 bytes 0

6|Jan 23 2012|18:20:07|302014|192.168.7.16|56859|192.168.13.206|3001|Teardown TCP connection 27761 for Inside:192.168.7.16/56859 to Inside:192.168.13.206/3001 duration 0:00:30 bytes 0 SYN Timeout

6|Jan 23 2012|18:20:07|302013|192.168.7.16|57179|192.168.13.206|3001|Built inbound TCP connection 27975 for Inside:192.168.7.16/57179 (192.168.7.16/57179) to Inside:192.168.13.206/3001 (192.168.13.206/3001)

6|Jan 23 2012|18:20:07|302013|192.168.7.16|57178|192.168.13.208|3001|Built inbound TCP connection 27974 for Inside:192.168.7.16/57178 (192.168.7.16/57178) to Inside:192.168.13.208/3001 (192.168.13.208/3001)

6|Jan 23 2012|18:20:07|302014|192.168.7.16|56858|192.168.14.204|3001|Teardown TCP connection 27758 for Inside:192.168.7.16/56858 to Inside:192.168.14.204/3001 duration 0:00:30 bytes 0 SYN Timeout

6|Jan 23 2012|18:20:07|302013|192.168.7.16|57177|192.168.14.204|3001|Built inbound TCP connection 27973 for Inside:192.168.7.16/57177 (192.168.7.16/57177) to Inside:192.168.14.204/3001 (192.168.14.204/3001)

6|Jan 23 2012|18:20:07|302015|HPA02|53|192.168.12.10|64374|Built inbound UDP connection 27972 for Inside:HPA02/53 (HPA02/53) to Inside:192.168.12.10/64374 (192.168.12.10/64374)

6|Jan 23 2012|18:20:07|302016|HPA02|53|192.168.12.10|62344|Teardown UDP connection 27971 for Inside:HPA02/53 to Inside:192.168.12.10/62344 duration 0:00:00 bytes 0

6|Jan 23 2012|18:20:07|302016|HPA02|53|192.168.13.178|55185|Teardown UDP connection 27970 for Inside:HPA02/53 to Inside:192.168.13.178/55185 duration 0:00:00 bytes 0

6|Jan 23 2012|18:20:07|302016|FTP_Server|53|192.168.13.178|55185|Teardown UDP connection 27969 for Inside:FTP_Server/53 to Inside:192.168.13.178/55185 duration 0:00:00 bytes 0

6|Jan 23 2012|18:20:07|302016|FTP_Server|53|192.168.12.10|64374|Teardown UDP connection 27968 for Inside:FTP_Server/53 to Inside:192.168.12.10/64374 duration 0:00:00 bytes 0

6|Jan 23 2012|18:20:06|302015|HPA02|53|192.168.12.10|62344|Built inbound UDP connection 27971 for Inside:HPA02/53 (HPA02/53) to Inside:192.168.12.10/62344 (192.168.12.10/62344)

6|Jan 23 2012|18:20:06|302015|HPA02|53|192.168.13.178|55185|Built inbound UDP connection 27970 for Inside:HPA02/53 (HPA02/53) to Inside:192.168.13.178/55185 (192.168.13.178/55185)

6|Jan 23 2012|18:20:06|302015|FTP_Server|53|192.168.13.178|55185|Built inbound UDP connection 27969 for Inside:FTP_Server/53 (FTP_Server/53) to Inside:192.168.13.178/55185 (192.168.13.178/55185)

6|Jan 23 2012|18:20:06|302015|FTP_Server|53|192.168.12.10|64374|Built inbound UDP connection 27968 for Inside:FTP_Server/53 (FTP_Server/53) to Inside:192.168.12.10/64374 (192.168.12.10/64374)

6|Jan 23 2012|18:20:06|302016|FTP_Server|53|192.168.12.10|62344|Teardown UDP connection 27965 for Inside:FTP_Server/53 to Inside:192.168.12.10/62344 duration 0:00:00 bytes 0

6|Jan 23 2012|18:20:06|106015|192.168.13.105|1720|192.168.8.1|61442|Deny TCP (no connection) from 192.168.13.105/1720 to 192.168.8.1/61442 flags ACK  on interface Inside

6|Jan 23 2012|18:20:06|106015|192.168.13.105|1720|192.168.8.1|61443|Deny TCP (no connection) from 192.168.13.105/1720 to 192.168.8.1/61443 flags ACK  on interface Inside

6|Jan 23 2012|18:20:06|302016|HPA02|53|192.168.12.10|64374|Teardown UDP connection 27964 for Inside:HPA02/53 to Inside:192.168.12.10/64374 duration 0:00:00 bytes 0

6|Jan 23 2012|18:20:05|302015|FTP_Server|53|192.168.12.10|62344|Built inbound UDP connection 27965 for Inside:FTP_Server/53 (FTP_Server/53) to Inside:192.168.12.10/62344 (192.168.12.10/62344)

6|Jan 23 2012|18:20:05|302016|HPA02|53|192.168.13.178|61975|Teardown UDP connection 27963 for Inside:HPA02/53 to Inside:192.168.13.178/61975 duration 0:00:00 bytes 0

This setup used to works perfectly on my old firewall (Watchguard) but I cant seem to figure out what is happening here (I am migrating away from the watchguard to the cisco).

The routing between my 6.0/23 and the 8.0/24 works perfectly, as does the internet in and out.

Any help is appreciated.

Thanks!

Labels:
0 Helpful
24 Replies 24

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to peterhammerl

‎01-24-2012 03:49 PM

The show asp drop frame command can identify the number of DNS packets that the DNS guard function  (with the counter name  inspect-dns-id-not-matched )  has dropped because  the transaction ID in the DNS response message  does not match any transaction  IDs for DNS queries that have passed  across the firewall earlier on the same  connection. As shown in the  following example, the counter  inspect-dns-id-not-matched is represented in the command output as DNS Inspect id not matched.

So in this case I think we are having the same problem, the thing is that the TCP state by pass as its name says its only for TCP, so the only thing I can see here is to disable inspection for DNS.

Please give it a try to this and let me know:

policy-map global_policy

class inspection_default

no  inspect dns preset_dns_map

Regards,

Do rate all the helpful posts!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
peterhammerl
Level 1
Level 1
In response to Julio Carvajal

‎01-24-2012 03:52 PM

I will give it a try tomorrow night and let you (and the community) know.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to peterhammerl

‎01-24-2012 03:57 PM

Sure!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
peterhammerl
Level 1
Level 1
In response to Julio Carvajal

‎01-25-2012 07:53 AM

I tried to turn off dns inspection but the command didn't work:

HPAFW01(config)# class inspection_default

HPAFW01(config-cmap)# no inspect dns preset_dns_map

                           ^

ERROR: % Invalid input detected at '^' marker.

It didn't like inspect. 

Last night before I switched back to the firebox, I trued turning off the DNS guard and it didn't help either. 

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to peterhammerl

‎01-25-2012 09:11 AM

Hello Peter,

Do it like this:

-policy-map global_policy

--class inspection_default

----no  inspect dns preset_dns_map

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
peterhammerl
Level 1
Level 1
In response to Julio Carvajal

‎01-25-2012 09:42 AM

That worked.

When I hit tab to complete the command "class inspection_default", it reset me back into conf t..

HPAFW01# conf t

HPAFW01(config)# polic <-- TAB

HPAFW01(config)# policy-map glob  <-- TAB

HPAFW01(config)# policy-map global_policy

HPAFW01(config-pmap)# class ins  <-- TAB

HPAFW01(config)# class ins  <-- Exited me out of the policy map.  I didn't notice the first time..

HPAFW01(config)#

Bug maybe?  I would think the autocomplete wouldn't kick you out of the sub configuration (I realize there wan't anything to autocomplete, but still..). 

Another thing learned!

Thanks for being so patient!

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to peterhammerl

‎01-25-2012 10:40 AM

Hello Peter,

That is an expected behavior, while you are under a policy-map you will need to type the complete name of the class map without the tab.

Glad I could help!

Please mark the question as answered so future users can learn from here.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
peterhammerl
Level 1
Level 1
In response to Julio Carvajal

‎01-25-2012 04:28 PM

I am going to mark the question answered.

My DNS issue dissappeared and my TCP issue was solved.

The ASA is still filtering on something that I cant figure out and is throwing no errors in the console (that I can see).  Everything but my phone system works on the other networks.

I wish it would just blindly route my data without inspecting it (at least on the internal interface).

I think its time to call an expert in to help me solve this thing fully.

Thanks for the help.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to peterhammerl

‎01-25-2012 09:50 PM

Hello Peter,

Ok so now that is working, regarding the phone system issue, what is happening?

If its related the ASA config, you are on the right place.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
peterhammerl
Level 1
Level 1
In response to Julio Carvajal

‎01-26-2012 05:58 AM

Its an Avaya IP PBX with 9650 phones.

The phone pulls a DHCP lease successfully, starts to pull its configuration from my web server then hangs with an error code HTTP:1 -905 which basically means the phone is having a hard time communicating with the web server, or the data from the web server is formatted wrong. 

Is there a way to turn off all filtering, modification and checking to all the interfaces except traffic going to the Outside interface?

I need the ASA to be a dumb router and only filter things going to and from 0/0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card