Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help on accessing Device from remotely

Hello All,

I need help on these;

I have a HP Printer  (HP Color LaserJet CM2320nf MFP), behind a Cisco ASA5505 Firewall.

I have been accessing this before until last week , I cannot any more. Also i cannot send scan document through it

Here is the Topology                                                         />>>>VM Ware-server

                                                                                     /

|                                                                                    |- - - - ->>>>>IP Phone & PC

===<<Internet>>>==>ASA5505======>ciscoSwitch2960|--------->>>>>IP Phone & PC

                                                                                     |- -- - - - >>>>PC

                                                                                     \

                                                                                       \->>>>>HP Color LaserJet CM2320nf MFP

* I can access ASA5505 with Https & Cisco Switch with https remotely

* I can Ping all devices behind the firewall & Switch remotely

* Two people in my office with the same subnet 10.10.44.0/24 can ping & HTTPS/http to ASA,Switch &  HP printer

* I have VPN Tunnel  up & connected to Remote site

Check Attachment for Configurations

Thanks

DaK

6 REPLIES

Help on accessing Device from remotely

Hello Davy,

In this case the most recommended troubleshooting step would be to do some captures to see whats going on.

I do not know the source and destiantion (printer) ip address, so I will give you a document so you can perdorm the captures and let us know the results.

https://supportforums.cisco.com/docs/DOC-1222

Please rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Help on accessing Device from remotely

Hello Jcarvaja,

Thanks for your response , i tried what is in document link you sent, but i could not get any information .

My Source IP address if from Remote site with VPN connection to Destination , Printer's Site.

Source subnet = 10.10.44.0/24 my PC is 10.10.44.23

Destination = 10.10.1.0/24 ( LAN Subnet of the Printer site ) and the Printer IP address is 10.10.1.198

My Cisco ASA is 5505 version 8.4 and these are my commands;

Capture PRINTER-CAPTURE_1 interface inside match tcp host 10.10.44.50 host 10.10.1.198 eq 80

Capture PRINTER-CAPTURE_1 interface inside buffer 1000000 packet 1522  trace trace-count 1000

Capture PRINTER-CAPTURE_1 interface outside buffer 1000000 packet 1522  trace trace-count 1000

and show capture output ;

ASA5505# sh capture PRINTER-CAPTURE_1

=

62: 14:19:05.576355 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: P 2745432908:2745433195(287) ack 45352991 win 16560

  63: 14:19:05.576630 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: . ack 2745433195 win 7993

  64: 14:19:05.576859 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: P 45352991:45353080(89) ack 2745433195 win 7993

  65: 14:19:05.576920 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: FP 45353080:45353080(0) ack 2745433195 win 7993

  66: 14:19:05.581680 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: . ack 45490856 win 16560

  67: 14:19:05.588699 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: P 3148480111:3148480396(285) ack 45490856 win 16560

  68: 14:19:05.588958 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . ack 3148480396 win 7995

  69: 14:19:05.589523 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: P 45490856:45491368(512) ack 3148480396 win 7995

  70: 14:19:05.590270 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45491368:45492748(1380) ack 3148480396 win 7995

  71: 14:19:05.590850 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45492748:45494128(1380) ack 3148480396 win 7995

  72: 14:19:05.632535 802.1Q vlan#1 P0 10.10.44.50.59421 > 10.10.1.1988.80: F 3008331229:3008331229(0) ack 38850175 win 16432

  73: 14:19:05.633145 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59421: . 38851555:38852935(1380) ack 3008331230 win 8003

  74: 14:19:05.655941 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: . ack 45353081 win 16537

  75: 14:19:05.656231 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: F 2745433195:2745433195(0) ack 45353081 win 16537

  76: 14:19:05.656414 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50..59427: . ack 2745433196 win 7992

  77: 14:19:05.665996 802.1Q vlan#1 P0 10.10.44.50.59422 > 10.10.1.198.80: F 1200183666:1200183666(0) ack 39038817 win 16432

Could anyone explaine while packect was drop please ?

====================================

Regards,

DaK

Message was edited by: Davy Ad

New Member

Re: Help on accessing Device from remotely

Dec 5, 2011 7:09 AM (in response to jcarvaja)

Re: Help on accessing Device from remotely

Hello Jcarvaja,

Thanks for your response , i tried what is in document link you sent, but i could not get any information .

My Source IP address if from Remote site with VPN connection to Destination , Printer's Site.

Source subnet = 10.10.44.0/24 my PC is 10.10.44.23

Destination = 10.10.1.0/24 ( LAN Subnet of the Printer site ) and the Printer IP address is 10.10.1.198

My Cisco ASA is 5505 version 8.4 and these are my commands;

Capture PRINTER-CAPTURE_1 interface inside match tcp host 10.10.44.50 host 10.10.1.198 eq 80

Capture PRINTER-CAPTURE_1 interface inside buffer 1000000 packet 1522  trace trace-count 1000

Capture PRINTER-CAPTURE_1 interface outside buffer 1000000 packet 1522  trace trace-count 1000

and show capture output ;

ASA5505# sh capture PRINTER-CAPTURE_1

=

62: 14:19:05.576355 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: P 2745432908:2745433195(287) ack 45352991 win 16560

  63: 14:19:05.576630 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: . ack 2745433195 win 7993

  64: 14:19:05.576859 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: P 45352991:45353080(89) ack 2745433195 win 7993

  65: 14:19:05.576920 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: FP 45353080:45353080(0) ack 2745433195 win 7993

  66: 14:19:05.581680 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: . ack 45490856 win 16560

  67: 14:19:05.588699 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: P 3148480111:3148480396(285) ack 45490856 win 16560

  68: 14:19:05.588958 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . ack 3148480396 win 7995

  69: 14:19:05.589523 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: P 45490856:45491368(512) ack 3148480396 win 7995

  70: 14:19:05.590270 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45491368:45492748(1380) ack 3148480396 win 7995

  71: 14:19:05.590850 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45492748:45494128(1380) ack 3148480396 win 7995

  72: 14:19:05.632535 802.1Q vlan#1 P0 10.10.44.50.59421 > 10.10.1.1988.80: F 3008331229:3008331229(0) ack 38850175 win 16432

  73: 14:19:05.633145 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59421: . 38851555:38852935(1380) ack 3008331230 win 8003

  74: 14:19:05.655941 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: . ack 45353081 win 16537

  75: 14:19:05.656231 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: F 2745433195:2745433195(0) ack 45353081 win 16537

  76: 14:19:05.656414 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50..59427: . ack 2745433196 win 7992

  77: 14:19:05.665996 802.1Q vlan#1 P0 10.10.44.50.59422 > 10.10.1.198.80: F 1200183666:1200183666(0) ack 39038817 win 16432

Could anyone explaine this please ?

====================================

Regards,

DaK

Help on accessing Device from remotely

Hello Davy,

So the communication is between a remote PC on another site ( Site-toSite VPN).In this case you will need to create the captures on the inside interfaces of both end-points, where the traffic is not encrypted.

Also can you create the following capture:

capture asp type asp-drop all

And then provide us the following:

Show capture asp  | include printer_ip_add

This will show us if there are packets being dropped by the ASA algorithm.

Please rate hlepful posts.

Julio!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Help on accessing Device from remotely

Hello,

I applied all commands you requested for, but at my ASA (REMOTE-ASAFW-C5505#) there is no Packet drop.

AT Printer's ASA ( Printer-ASAFW-C5505#) ,it shows only 7 packets captured .

REMOTE-ASAFW-C5505# sh capture PRINTER-CAPTURE_REMOTE-PC                                                               

0 packet captured

0 packet shown

============

Printer-ASAFW-C5505# sh capture PRINTER-CAPTURE_LAN_INSIDE

7 packets captured

   1: 15:25:20.633786 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: . 3670903544:3670904924(1380) ack 1395853171 win 7995

   2: 15:26:08.259996 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55160: . 3670726384:3670727764(1380) ack 1311056836 win 8004

   3: 15:26:10.588073 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: . 3670903544:3670904924(1380) ack 1395853171 win 7995

   4: 15:27:00.532336 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: . 3670903544:3670904924(1380) ack 1395853171 win 7995

   5: 15:27:07.817737 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55160: . 3670726384:3670727764(1380) ack 1311056836 win 8004

   6: 15:27:50.476110 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: R 3670904924:3670904924(0) win 0

   7: 15:28:07.365505 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55160: . 3670726384:3670727764(1380) ack 1311056836 win 8004

Printer-ASAFW-C5505# capture ASP type asp-drop all

Printer-ASAFW-C5505# capture ASP type asp-drop all

< EMPTY/NO OUPUT>

Printer-ASAFW-C5505# Show capture ASP  | include 10.10.1.198 

< EMPTY / NO OUTPUT>

**NB; Could you explaine to me what is R, P, FP, S & . ; means in the output result please

Thanks

DaK

Re: Help on accessing Device from remotely

Hello Davy,

We can see that there are no drops by the ASA (Capture ASP is empty) now on the Printer_Capture we can see there are some regular ack packets but also we can see a reset (R) :

P0 10.10.1.198.80 > 10.10.44.50.55161: R 3670904924:3670904924(0) win 0

So the communication is being ended by that particular reset packet, you will need to do a capture on the PC with wireshark to check if the compture is the one sending the reset or if its the Printer.

I think that will lead us to the bottom of this issue.

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
735
Views
0
Helpful
6
Replies
CreatePlease login to create content