This is an odd one and i'm really confused. I'm hoping someone in the community can assist. I installed an ASA 5510 on our network to replace an old AdTran. The ASA has been up for a few months now with no issues. All of the sudden we can no longer access epson.com. I have no issues with nsloopup, tracert, icmp, back to epson.com
So are you saying that the connectivity to the mentioned site worked just fine with the ASA and then suddenly stopped working? It would seem strange that the ASA would have anything to do with this.
I guess I would personally first use the "nslookup" to determine the IP address to which the host is connecting and monitor that IP address through the ASDM of the ASA. I guess it might be required also that you simply monitor connections formed from your test host through the ASDM. You could them monitor the TCP connection "Teardown" messages and see what the reason for the "Teardown" is. If its TCP FINs then it refers to normal connection close sequence. If its SYN Timeout then it means that the TCP connection opening sequence didnt go through and the most usual reason is that the remote host does not reply or some other device in between blocks this. The result might also be TCP Reset-O or TCP Reset-I which are resets either from the less secure or more secure interface (inside/outside determine by the "security-level" value) Though the resets might be a bit harder to troubleshoot as you see them normally in browser based traffic.
I guess this point I would perhaps try using different computers and browsers to test and also see that no software on the actual host could affect this. I doubt that there is any web filtering in use that you would not know about that could cause this?
But as I said the ASDM real time logs should give us some idea on what the problem is.
You can also take a traffic capture on the ASA on its internal interface and perhaps on the external interface too to confirm if there is any return traffic from the remote host (server) coming to your ASA.
If you want to configure traffic capture on the ASA you can use the following configurations
access-list EPSON-EXT-CAP permit ip host <your external pat ip> host <epson.com ip> access-list EPSON-EXT-CAP permit ip host <epson.com ip> host <your external pat ip>
With regards to the above "access-list" and "capture" configurations I would like to stress the following points
The ACL tells what traffic to capture. So if there are multiple destination IP addresses or subnets then you can add ACL line for them too in the same ACL. You can also narrow down the "permit ip" to "permit tcp" etc.
The configuration using the EXT ACL will catch any users traffic in this case as you we are capturing traffic from a Dynamic PAT IP address which all uses shar. That makes it more viable to use the capture in the internal IP address if there is a lot of users trying to access that destination IP address. But it might be good to take the EXT capture anyway.
In the capture configuraitons I have configured almost the maximum buffer memory for the capture. You can use a lower value if needed/required.
To view if any traffic has been capture you can use the command
To view the capture on the CLI you can use the command
show capture <capture name>
To copy the capture to your computer with TFTP you can use the command
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :