Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
6
Replies

ASA 5540 protocol-80 blocked packets when return

Go to solution
amelguizocortijo
Level 1
Level 1

‎11-10-2014 02:19 AM - edited ‎03-11-2019 10:02 PM

Hello, 

i have some traffic that uses protocol-80. I have set a new service with protocol 80 other than tcp / udp. Session try to be stablished from inside to outside

When packets arrives at "inside" interface, they cross the firewall and are sended out the "outside" interface. When packets return arrives again at "outside" interface the die there and not cross the ASA again to the inside "interface"

I verify that none packets hits the rules. It seems the packets are not matched by any rules in the ASA, but are send out, when packets arrives i don't understand what is happening and why are blocket at outside interface.

 

Please, could you help me ?

Thanks

Andre

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-10-2014 02:51 AM

You are talking about the IP-protocol 80 and not about TCP or UDP? Then you have to allow it explicitly as this will never be handled statefully by the firewall:

access-list OUTSIDE-IN permit 80 host OUTSIDE-IP host INSIDE-IP

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
hubertzw
Level 1
Level 1

‎11-10-2014 02:42 AM

Hi,

probably ASA doesn't inspect this traffic, enable MPF for this traffic or add ACL

regards

Hubert

0 Helpful

Go to solution
amelguizocortijo
Level 1
Level 1
In response to hubertzw

‎11-10-2014 04:30 AM

Thanks Hubert for your answer!

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎11-10-2014 02:51 AM

You are talking about the IP-protocol 80 and not about TCP or UDP? Then you have to allow it explicitly as this will never be handled statefully by the firewall:

access-list OUTSIDE-IN permit 80 host OUTSIDE-IP host INSIDE-IP

 

0 Helpful

Go to solution
amelguizocortijo
Level 1
Level 1
In response to Karsten Iwen

‎11-10-2014 04:29 AM

Thanks for your answers!. I will try as soon as possible.

Yes, proto 80 is not tcp/udp. non-statefully is the key

 

0 Helpful

Go to solution
amelguizocortijo
Level 1
Level 1

‎11-11-2014 02:43 AM

Hello, 

sadly, none of the options work!

I have explicitly enabled return traffic in inside and outside interfaces, in incoming and outgoing directions but nothing...none hits apears in the rules..

access-list OUTSIDE-IN permit 80 host OUTSIDE-IP host INSIDE-IP

 

I have made a class-map in order to inspect the traffic in outside interfaces but this also seems to not work.

This kind of traffic is non-ip traffic and my ASA 5540 is in routed mode

Please, could you give me some idea to work around ?

Thanks  in advance!

Andres

 

 

0 Helpful

Go to solution
amelguizocortijo
Level 1
Level 1

‎11-11-2014 06:38 AM

It works now!

The outside host had an old session stablished with the inside host.

Inside host had changed of address and the nat table still remains. I have clear the old session and everything works fine. ("clear conn address outside_address")

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card