01-14-2012 10:09 AM - edited 03-11-2019 03:14 PM
Hello Experts,
I'm facing a weird problem and I was tired as i try all my best to solve the issue.
I'm facing a problem accessing 1 medical website.It works for 5 minutes and stopped working.
If I connect a laptop directly to my router and assign public ip it works and download from the website with no issue. BUt if i connect this laptop to my internal network behind asa I face issues. I can browse other websites without problemsFor more info I've inbuilt IPS with ASA.
I'm sure something internally having problem.
Please help me
Solved! Go to Solution.
01-14-2012 01:34 PM
Hello Samir,
There got to be something with that particular website that is making a signature on the IPS to reset or drop the connection, in this case we will need to make captures and troubleshoot the IPS module to see what is going on.
The workaround on this would be to instead of this:
access-list CSM_TF_ACL_IPS__1 line 1 deny tcp host x.x.x.x ( private ip address test PC) any eq 80
access-list CSM_TF_ACL_IPS__1 line 2 deny tcp host x.x.x.x ( private ip address test PC) any eq 443
Use this:
access-list CSM_TF_ACL_IPS__1 line 1 deny tcp any host website_ip eq 80
access-list CSM_TF_ACL_IPS__1 line 2 deny tcp any host website_ip eq 443
With this, the only tcp port 80 and 443 that will be bypassed will be the one going to that particular website.
You can do a nslookup to get the ip address of the remote site.
Hope I helped you on this
Julio
Rate posts that helps you
01-14-2012 10:55 AM
Hello Samir,
So even if you do not use the IPS module on the ASA you still have the issue.
Hmm do you have any logs while the connection gets closed, next thing will be to do a capture.
Also when you connect the pc directly connected what ip address does the PC uses? Is the same as the one that it uses while he goes to the outside using the ASA or its a different one?
Regards,
Julio
01-14-2012 11:05 AM
Hi Julio,
Thanks for your fast response.
I havent tried without IPS.
How can I do caputring ?
I uses different IP on a pc other than used by ASA.
Thanks.
01-14-2012 11:09 AM
Hello,
Ok, lets do something first,
As a test using the ASA, please make a static translation on the ASA from that pc to the other ip that is using when the ASA is not there
static (inside,outside) public_ip private_ip
And give it a shot
Julio
01-14-2012 11:18 AM
Hi Julio,
I tried other public ip as nating but still the same. I cane browse other website successfully.
Samir
01-14-2012 11:29 AM
Just to confirm I did lookup by visiting the website whatismyip.com.
Samir
01-14-2012 11:31 AM
One more thing I've noted that once I start downloading the medical files from site then the website and download stops working.
Download reached to 2-5 % and get interrupted.
Samir
01-14-2012 11:39 AM
Please advise me how i can bypass IPS.
Thanks
01-14-2012 11:42 AM
Hello Samir,
You send all the traffic to the IPS by using MPF, so can a see the show run policy-map? and show run class-map
Regards,
01-14-2012 11:48 AM
HI,
ASA-5520# sh running-config class-map
!
class-map ips_class
match access-list CSM_TF_ACL_IPS__1
class-map inspection_default
match default-inspection-traffic
ASA-5520# sh running-config policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class ips_class
ips inline fail-open
Samir
01-14-2012 11:50 AM
Hello,
add the following
access-list CSM_TF_ACL_IPS__1 line 1 deny tcp host x.x.x.x ( private ip address test PC) any eq 80
access-list CSM_TF_ACL_IPS__1 line 2 deny tcp host x.x.x.x ( private ip address test PC) any eq 443
Regards,
Julio
01-14-2012 11:38 AM
Hello Samir,
Ok, can you take out that nat statement that you just added and used the old one but this time lets bypass the IPS and give it a try,
01-14-2012 11:51 AM
hi,
please can you tell me what this command will do ?
Thanks
01-14-2012 11:56 AM
Hello,
Sure ! The connections being innitiated from that host going to port 80 or 443 will not be inspected by the IPS!
That is all
Rate post that help!
01-14-2012 12:07 PM
Until now the download has reached to 30 % there seemd to be progress. So what could be the issue Is there any alternative solution instead of bypassing IPS.
Thanks.
Samir
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: