Solved: Re: Facing an Issue with one website

samirshaikh52 · ‎01-14-2012

Hello Experts,

I'm facing a weird problem and I was tired as i try all my best to solve the issue.

I'm facing a problem accessing 1 medical website.It works for 5 minutes and stopped working.

If I connect a laptop directly to my router and assign public ip it works and download from the website with no issue. BUt if i connect this laptop to my internal network behind asa I face issues. I can browse other websites without problemsFor more info I've inbuilt IPS with ASA.

I'm sure something internally having problem.

Please help me

Julio Carvajal · ‎01-14-2012

Hello Samir,

There got to be something with that particular website that is making a signature on the IPS to reset or drop the connection, in this case we will need to make captures and troubleshoot the IPS module to see what is going on.

The workaround on this would be to instead of this:

access-list CSM_TF_ACL_IPS__1 line 1 deny tcp host x.x.x.x ( private ip address test PC) any eq 80

access-list CSM_TF_ACL_IPS__1 line 2 deny tcp host x.x.x.x ( private ip address test PC) any eq 443

Use this:

access-list CSM_TF_ACL_IPS__1 line 1 deny tcp any host website_ip eq 80

access-list CSM_TF_ACL_IPS__1 line 2 deny tcp any host website_ip eq 443

With this, the only tcp port 80 and 443 that will be bypassed will be the one going to that particular website.

You can do a nslookup to get the ip address of the remote site.

Hope I helped you on this

Julio

Rate posts that helps you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎01-14-2012

Hello Samir,

So even if you do not use the IPS module on the ASA you still have the issue.

Hmm do you have any logs while the connection gets closed, next thing will be to do a capture.

Also when you connect the pc directly connected what ip address does the PC uses? Is the same as the one that it uses while he goes to the outside using the ASA or its a different one?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

samirshaikh52 · ‎01-14-2012

Hi Julio,

Thanks for your fast response.

I havent tried without IPS.

How can I do caputring ?

I uses different IP on a pc other than used by ASA.

Thanks.

Julio Carvajal · ‎01-14-2012

Hello,

Ok, lets do something first,

As a test using the ASA, please make a static translation on the ASA from that pc to the other ip that is using when the ASA is not there

static (inside,outside) public_ip private_ip

And give it a shot

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

samirshaikh52 · ‎01-14-2012

Hi Julio,

I tried other public ip as nating but still the same. I cane browse other website successfully.

Samir

samirshaikh52 · ‎01-14-2012

Just to confirm I did lookup by visiting the website whatismyip.com.

Samir

samirshaikh52 · ‎01-14-2012

One more thing I've noted that once I start downloading the medical files from site then the website and download stops working.

Download reached to 2-5 % and get interrupted.

Samir

samirshaikh52 · ‎01-14-2012

Please advise me how i can bypass IPS.

Thanks

Julio Carvajal · ‎01-14-2012

Hello Samir,

You send all the traffic to the IPS by using MPF, so can a see the show run policy-map? and show run class-map

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

samirshaikh52 · ‎01-14-2012

HI,

ASA-5520# sh running-config class-map

!

class-map ips_class

match access-list CSM_TF_ACL_IPS__1

class-map inspection_default

match default-inspection-traffic

ASA-5520# sh running-config policy-map

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class ips_class

ips inline fail-open

Samir

Julio Carvajal · ‎01-14-2012

Hello,

add the following

access-list CSM_TF_ACL_IPS__1 line 1 deny tcp host x.x.x.x ( private ip address test PC) any eq 80

access-list CSM_TF_ACL_IPS__1 line 2 deny tcp host x.x.x.x ( private ip address test PC) any eq 443

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎01-14-2012

Hello Samir,

Ok, can you take out that nat statement that you just added and used the old one but this time lets bypass the IPS and give it a try,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

samirshaikh52 · ‎01-14-2012

hi,

please can you tell me what this command will do ?

Thanks

Julio Carvajal · ‎01-14-2012

Hello,

Sure ! The connections being innitiated from that host going to port 80 or 443 will not be inspected by the IPS!

That is all

Rate post that help!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

samirshaikh52 · ‎01-14-2012

Until now the download has reached to 30 % there seemd to be progress. So what could be the issue Is there any alternative solution instead of bypassing IPS.

Thanks.

Samir