Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Facing an Issue with one website

Hello Experts,

I'm facing a weird problem and I was tired as i try all my best to solve the issue.

I'm facing a problem accessing 1 medical website.It works for 5 minutes and stopped working.

If I connect a laptop directly to my router and assign public ip it works and download from the website with no issue. BUt if i connect this laptop to my internal network behind asa I face issues. I can browse other websites without problemsFor more info I've inbuilt IPS with ASA.

I'm sure something internally having problem.

Please help me

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Facing an Issue with one website

Hello Samir,

There got to be something with that particular website that is making a signature on the IPS to reset or drop the connection, in this case we will need to make captures and troubleshoot the IPS module to see what is going on.

The workaround on this would be to instead of this:

access-list  CSM_TF_ACL_IPS__1 line 1 deny tcp host x.x.x.x ( private ip address test PC) any eq 80

access-list  CSM_TF_ACL_IPS__1 line 2 deny tcp host x.x.x.x ( private ip address test PC) any eq 443

Use this:

access-list  CSM_TF_ACL_IPS__1 line 1 deny tcp any  host website_ip eq 80

access-list  CSM_TF_ACL_IPS__1 line 2 deny tcp any host website_ip  eq 443

With this, the only tcp port 80 and 443 that will be bypassed will be the one going to that particular website.

You can do a nslookup to get the ip address of the remote site.

Hope I helped you on this

Julio

Rate posts that helps you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
20 REPLIES

Facing an Issue with one website

Hello Samir,

So even if you do not use the IPS module on the ASA you still have the issue.

Hmm do you have any logs while the connection gets closed, next thing will be to do a capture.

Also when you connect the pc directly connected what ip address does the PC uses? Is the same as the one that it uses while he goes to the outside using the ASA or its a different one?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Facing an Issue with one website

Hi Julio,

Thanks for your fast response.

I havent tried without IPS.

How can I do caputring ?

I uses different IP on a pc other than used by ASA.

Thanks.

Facing an Issue with one website

Hello,

Ok, lets do something first,

As a test using the ASA, please make a static translation on the ASA from that pc to the other ip that is using when the ASA is not there

static (inside,outside) public_ip private_ip

And give it a shot

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Facing an Issue with one website

Hi Julio,

I tried other public ip as nating but still the same. I cane browse other website successfully.

Samir

New Member

Facing an Issue with one website

Just to confirm I did lookup by visiting the website whatismyip.com.

Samir

New Member

Re: Facing an Issue with one website

One more thing I've noted that once I start downloading the medical files from site then the website and download stops working.

Download reached to 2-5 % and get interrupted.

Samir

New Member

Re: Facing an Issue with one website

Please advise me how i can bypass IPS.

Thanks

Re: Facing an Issue with one website

Hello Samir,

You send all the traffic to the IPS by using MPF, so can a see the show run policy-map? and show run class-map

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Facing an Issue with one website

HI,

ASA-5520# sh running-config class-map

!

class-map ips_class

match access-list CSM_TF_ACL_IPS__1

class-map inspection_default

match default-inspection-traffic

ASA-5520# sh running-config policy-map

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

class ips_class

  ips inline fail-open

Samir

Re: Facing an Issue with one website

Hello,

add the following

access-list  CSM_TF_ACL_IPS__1 line 1 deny tcp host x.x.x.x ( private ip address test PC) any eq 80

access-list  CSM_TF_ACL_IPS__1 line 2 deny tcp host x.x.x.x ( private ip address test PC) any eq 443

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Facing an Issue with one website

Hello Samir,

Ok, can you take out that nat statement that you just added and used the old one but this time lets  bypass the IPS and give it a try,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Facing an Issue with one website

hi,

please can you tell me what this command will do ?

Thanks

Re: Facing an Issue with one website

Hello,

Sure ! The connections being innitiated from that host going to port 80 or 443 will not be inspected by the IPS!

That is all

Rate post that help!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Facing an Issue with one website

Until now the download has reached to 30 % there seemd to be progress. So what could be the issue Is there any alternative solution instead of bypassing IPS.

Thanks.

Samir

New Member

Re: Facing an Issue with one website

As this website will used by many users in my organization and I cannot let http and https bypassing IPS. Your further help will be highly appreciated.

Thank you very much.

New Member

Re: Facing an Issue with one website

Hi,

The download was successfull completed. Please help me further to solve this problem permanently from the IPS.

I really appreciated your help.

Samir.

New Member

Re: Facing an Issue with one website

Any suggestions.

Samir

Re: Facing an Issue with one website

Hello Samir,

There got to be something with that particular website that is making a signature on the IPS to reset or drop the connection, in this case we will need to make captures and troubleshoot the IPS module to see what is going on.

The workaround on this would be to instead of this:

access-list  CSM_TF_ACL_IPS__1 line 1 deny tcp host x.x.x.x ( private ip address test PC) any eq 80

access-list  CSM_TF_ACL_IPS__1 line 2 deny tcp host x.x.x.x ( private ip address test PC) any eq 443

Use this:

access-list  CSM_TF_ACL_IPS__1 line 1 deny tcp any  host website_ip eq 80

access-list  CSM_TF_ACL_IPS__1 line 2 deny tcp any host website_ip  eq 443

With this, the only tcp port 80 and 443 that will be bypassed will be the one going to that particular website.

You can do a nslookup to get the ip address of the remote site.

Hope I helped you on this

Julio

Rate posts that helps you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Facing an Issue with one website

Hi Julio,

Firstly thank you very much for your help I really appreciate.

access-list  CSM_TF_ACL_IPS__1 line 1 deny tcp any  host website_ip eq 80

access-list  CSM_TF_ACL_IPS__1 line 2 deny tcp any host website_ip  eq 443

Thanks once again. Have a nice time.

Re: Facing an Issue with one website

Hello Samir,

Thank you for your kind words.

Have a great day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
508
Views
0
Helpful
20
Replies
CreatePlease to create content