08-05-2014 08:31 AM - edited 03-11-2019 09:34 PM
This is an odd one and i'm really confused. I'm hoping someone in the community can assist. I installed an ASA 5510 on our network to replace an old AdTran. The ASA has been up for a few months now with no issues. All of the sudden we can no longer access epson.com. I have no issues with nsloopup, tracert, icmp, back to epson.com
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside-fios
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 192.168.254.0 255.255.255.0
match ip inside 192.168.254.0 255.255.255.0 outside-fios any
dynamic translation to pool 1 (72.75.xxx.xxx [Interface PAT])
translate_hits = 55089, untranslate_hits = 6539
Additional Information:
Dynamic translate 192.168.254.145/80 to 72.75.xxx.xxx/416 using netmask 255.255.255.255
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 192.168.254.0 255.255.255.0
match ip inside 192.168.254.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 128290, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside-fios
output-status: up
output-line-status: up
Action: allow
ASA5510(config)#
08-05-2014 01:31 PM
Hi,
So are you saying that the connectivity to the mentioned site worked just fine with the ASA and then suddenly stopped working? It would seem strange that the ASA would have anything to do with this.
I guess I would personally first use the "nslookup" to determine the IP address to which the host is connecting and monitor that IP address through the ASDM of the ASA. I guess it might be required also that you simply monitor connections formed from your test host through the ASDM. You could them monitor the TCP connection "Teardown" messages and see what the reason for the "Teardown" is. If its TCP FINs then it refers to normal connection close sequence. If its SYN Timeout then it means that the TCP connection opening sequence didnt go through and the most usual reason is that the remote host does not reply or some other device in between blocks this. The result might also be TCP Reset-O or TCP Reset-I which are resets either from the less secure or more secure interface (inside/outside determine by the "security-level" value) Though the resets might be a bit harder to troubleshoot as you see them normally in browser based traffic.
I guess this point I would perhaps try using different computers and browsers to test and also see that no software on the actual host could affect this. I doubt that there is any web filtering in use that you would not know about that could cause this?
But as I said the ASDM real time logs should give us some idea on what the problem is.
You can also take a traffic capture on the ASA on its internal interface and perhaps on the external interface too to confirm if there is any return traffic from the remote host (server) coming to your ASA.
If you want to configure traffic capture on the ASA you can use the following configurations
access-list EPSON-EXT-CAP permit ip host <your external pat ip> host <epson.com ip>
access-list EPSON-EXT-CAP permit ip host <epson.com ip> host <your external pat ip>
access-list EPSON-INT-CAP permit ip host <your internal host ip> host <epson.com ip>
access-list EPSON-INT-CAP permit ip host <epson.com ip> host <your internal host ip>
capture EPSON-EXT-CAP type raw-data packet-length 1522 access-list EPSON-EXT-CAP interface outside-fios buffer 33500000 circular-buffer
capture EPSON-INT-CAP type raw-data packet-length 1522 access-list EPSON-INT-CAP interface inside buffer 33500000 circular-buffer
With regards to the above "access-list" and "capture" configurations I would like to stress the following points
To view if any traffic has been capture you can use the command
show capture
To view the capture on the CLI you can use the command
show capture <capture name>
To copy the capture to your computer with TFTP you can use the command
copy /pcap capture:<capture name> tftp://<host ip>/filename.pcap
You can then open the capture file on your computer with Wireshark for easier troubleshooting.
You can remove the captures (and their data) with the command
no capture <capture name>
You will have to remove the created ACLs separately.
Hope this helps :)
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: