06-05-2014 03:37 AM - edited 03-11-2019 09:17 PM
Hello everybody,
At the customer site, we have a ASA5510 (ASA version 9.1.2 - ASDM 7.2.1).
The problem is that there is only one particular website blocked, without any logic reason. According to the configuration we close no specific traffic. In fact; all traffic from that interface (higher security level) can go to the (WAN) interface with a lower security level.
ASA interface settings:
example:
From host 192.168.1.51(inside), the website http://www.adhocdata.nl could not be reached and is blocked by the ASA. The strange thing is, it seems to be blocked by the wrong interface/access-list (ts-data). This interface has nothing to do with it...because the traffic is initiated from the inside interface to the TS-inet (WAN)interface. So why is the wrong access list blocking only this specific website. All the other web traffic runs smoothly.
See attachment for log information.
Hopefully someone can help me.
Thanks in advance.
06-05-2014 08:17 AM
Hi Marvin!
This is the result:
RSB-W-ASA# sh cap capin
12 packets captured
1: 16:19:53.285660 802.1Q vlan#99 P0 192.168.1.63.62575 > 217.119.236.139.80: S 2890204037:2890204037(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2: 16:19:53.289429 802.1Q vlan#99 P0 192.168.1.63.62576 > 217.119.236.139.80: S 3819549090:3819549090(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
3: 16:19:53.301253 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62575: R 59869520:59869520(0) ack 2890204038 win 8192
4: 16:19:53.304809 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62576: R 1539803214:1539803214(0) ack 3819549091 win 8192
5: 16:19:53.796620 802.1Q vlan#99 P0 192.168.1.63.62575 > 217.119.236.139.80: S 2890204037:2890204037(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
6: 16:19:53.796925 802.1Q vlan#99 P0 192.168.1.63.62576 > 217.119.236.139.80: S 3819549090:3819549090(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
7: 16:19:53.804813 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62576: R 1133326952:1133326952(0) ack 3819549091 win 8192
8: 16:19:53.804890 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62575: R 555211610:555211610(0) ack 2890204038 win 8192
9: 16:19:54.296768 802.1Q vlan#99 P0 192.168.1.63.62575 > 217.119.236.139.80: S 2890204037:2890204037(0) win 8192 <mss 1460,nop,nop,sackOK>
10: 16:19:54.297195 802.1Q vlan#99 P0 192.168.1.63.62576 > 217.119.236.139.80: S 3819549090:3819549090(0) win 8192 <mss 1460,nop,nop,sackOK>
11: 16:19:54.334775 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62575: R 786977574:786977574(0) ack 2890204038 win 8192
12: 16:19:54.334867 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62576: R 1027018004:1027018004(0) ack 3819549091 win 8192
12 packets shown
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA# sh cap capout
0 packet captured
0 packet shown
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
--
I've used this captures:
RSB-W-ASA# show capture
capture capin type raw-data access-list asdm_cap_selector_inside interface inside [Capturing - 952 bytes]
capture capout type raw-data access-list asdm_cap_selector_outside interface ts-inet [Capturing - 0 bytes]
RSB-W-ASA#
06-05-2014 08:41 AM
hmm, I'm not sure what's going on with capout but capin shows the return traffic from the web site headed back to the client PC
06-06-2014 12:10 AM
If you do the same capture but instead put the capout on the ts-data interface....
--
Please rememebr to select a correct answer and rate helpful posts
06-06-2014 06:02 AM
Hi,
Here's the output. Is looks like the ASA doesn't route the traffic through the ts-inet.. but why..
RSB-W-ASA# sh capture
capture capin type raw-data access-list asdm_cap_selector_inside interface inside [Capturing - 0 bytes]
capture capout type raw-data access-list asdm_cap_selector_outside interface ts-inet [Capturing - 0 bytes]
capture captsdata type raw-data access-list asdm_cap_selector_tsdata interface ts-data [Capturing - 0 bytes]
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA# sh capture
capture capin type raw-data access-list asdm_cap_selector_inside interface inside [Capturing - 952 bytes]
capture capout type raw-data access-list asdm_cap_selector_outside interface ts-inet [Capturing - 0 bytes]
capture captsdata type raw-data access-list asdm_cap_selector_tsdata interface ts-data [Capturing - 0 bytes]
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA# sh cap capin
12 packets captured
1: 14:06:57.274216 802.1Q vlan#99 P0 192.168.1.62.62520 > 217.119.236.139.80: S 2656530156:2656530156(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2: 14:06:57.274567 802.1Q vlan#99 P0 192.168.1.62.62521 > 217.119.236.139.80: S 3302571231:3302571231(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
3: 14:06:57.280792 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62520: R 907382114:907382114(0) ack 2656530157 win 8192
4: 14:06:57.281143 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62521: R 902039472:902039472(0) ack 3302571232 win 8192
5: 14:06:57.779714 802.1Q vlan#99 P0 192.168.1.62.62521 > 217.119.236.139.80: S 3302571231:3302571231(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
6: 14:06:57.780004 802.1Q vlan#99 P0 192.168.1.62.62520 > 217.119.236.139.80: S 2656530156:2656530156(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
7: 14:06:57.786244 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62521: R 188947886:188947886(0) ack 3302571232 win 8192
8: 14:06:57.786488 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62520: R 1985605340:1985605340(0) ack 2656530157 win 8192
9: 14:06:58.273942 802.1Q vlan#99 P0 192.168.1.62.62521 > 217.119.236.139.80: S 3302571231:3302571231(0) win 8192 <mss 1460,nop,nop,sackOK>
10: 14:06:58.274262 802.1Q vlan#99 P0 192.168.1.62.62520 > 217.119.236.139.80: S 2656530156:2656530156(0) win 8192 <mss 1460,nop,nop,sackOK>
11: 14:06:58.280609 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62521: R 1470588602:1470588602(0) ack 3302571232 win 8192
12: 14:06:58.280792 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62520: R 1896160456:1896160456(0) ack 2656530157 win 8192
12 packets shown
RSB-W-ASA#
RSB-W-ASA# sh cap capout
0 packet captured
0 packet shown
RSB-W-ASA# sh cap captsdata
0 packet captured
0 packet shown
RSB-W-ASA#
06-06-2014 06:38 AM
It seems that all public IP addresses that start with 217.119.x.x give problems. IP addresses starting with 217.118.x.x or 217.120 give no problems..
06-06-2014 06:50 AM
When I ping directly from the ASA interface "ts-inet" (WAN) to 8.8.8.8, everything works well. When I ping to 217.119.236.139 from the same interface it doens't work and all of the captures stays clean..
06-06-2014 10:39 AM
I can not find any reason why the ASA would only drop traffic to 217.119.236.139. I am assuming this is a public website and that the remote side doesn't have any local rules blocking your http requests?
By the look of your packet tracer the packet is allowed through the ASA and exits the correct interface as well.
To suggest an extreme, have you tried restarting you ASA?
If that doesn't work, or you don't want to do it...and ofcourse depending on how important it is for your users to access this website, I again suggest opening a TAC case to get this resolved.
--
Please remember to select a correct answer and rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: