ASDM access issue on outside interface

pmahesh01 — Fri, 21 Feb 2020 13:07:59 GMT

Hello,

I have just migrated from a PIX 6.3 to ASA 9.1(1), everything seems to work fine except for the ASDM access from the outside interface. I am able to get ASDM access from the inside interface.

Strangely I am see accepted packets in the logging, but when I telnet on the outside interface on port 443 I am unable to telnet( I am telneting for a public IP).

Has anyone faced similar issues.

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address XX.XX.XX.145 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.105.1 255.255.255.0
!

access-list outside_access_in extended permit tcp any object 192.168.105.210 eq 3389
access-list outside_access_in extended permit tcp any object 192.168.105.220 eq 3389
access-list outside_access_in extended permit tcp any object 192.168.30.31 eq 502
access-list outside_access_in extended permit tcp any object 192.168.105.109 eq www
access-list outside_access_in extended permit tcp any object 192.168.105.109 eq https
access-list outside_access_in extended permit tcp any object 172.16.105.10 eq smtp
access-list outside_access_in extended permit tcp any object 172.16.105.10 eq 8000
access-list outside_access_in extended permit tcp any object XX.XX.XX.145(outside iInt IP) eq https
access-list DMZ_access_in extended permit tcp object SMTPGW-DMZ any eq domain
access-list DMZ_access_in extended permit tcp object SMTPGW-DMZ any eq www
access-list DMZ_access_in extended permit object HTTPS object SMTPGW-DMZ any
access-list DMZ_access_in extended permit tcp object SMTPGW-DMZ any eq smtp
access-list DMZ_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any inactive
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list spiclient_splitTunnelAcl standard permit 192.168.105.0 255.255.255.0
access-list spiclient_splitTunnelAcl standard permit 192.168.30.0 255.255.255.0
access-list ININSIDE extended permit ip 192.168.105.0 255.255.255.0 172.16.105.0 255.255.255.0
access-list ININSIDE extended permit ip 192.168.105.0 255.255.255.0 192.168.106.0 255.255.255.0
access-list ININSIDE extended permit ip 192.168.105.0 255.255.255.0 192.168.107.0 255.255.255.0
access-list ININSIDE extended permit ip 192.168.105.0 255.255.255.0 192.168.255.0 255.255.255.0
access-list ININSIDE extended permit udp any any eq domain
access-list ININSIDE extended permit tcp any any eq www
access-list ININSIDE extended permit tcp any any eq 8080
access-list ININSIDE extended permit tcp any any eq https
access-list ININSIDE extended permit tcp any any eq ftp-data
access-list ININSIDE extended permit tcp any any eq ftp
access-list ININSIDE extended permit tcp any any eq telnet

access-list ININSIDE extended permit tcp any any eq 1863
access-list ININSIDE extended permit tcp any any eq 5050
access-list ININSIDE extended permit tcp any any eq 3389
access-list ININSIDE extended permit tcp any any eq 995
access-list ININSIDE extended permit tcp any any eq 1227
access-list ININSIDE extended permit udp any any eq 1227
access-list ININSIDE extended permit ip host 192.168.105.73 any
access-list ININSIDE extended permit ip host 192.168.105.71 any
access-list ININSIDE extended permit udp any any eq isakmp
access-list ININSIDE extended permit udp any eq isakmp any
access-list ININSIDE extended permit esp any any
access-list ININSIDE extended permit udp any any eq 4500
access-list ININSIDE extended permit udp any eq 4500 any
access-list ININSIDE extended permit udp any any eq ntp
access-list ININSIDE extended permit tcp any any eq 123
access-list ININSIDE extended permit tcp any eq 123 any
access-list ININSIDE extended permit udp any eq ntp any
access-list ININSIDE extended permit tcp any any eq pop3
access-list ININSIDE extended permit ip host 192.168.105.254 any
access-list ININSIDE extended permit tcp any any eq smtp
access-list ININSIDE extended permit tcp any any eq 6901
access-list ININSIDE extended permit udp any any eq 6901
access-list ININSIDE extended permit udp any any eq 6801
access-list ININSIDE extended permit udp any any range 2001 2120

access-list ININSIDE extended permit tcp any any range 6891 6900
access-list ININSIDE extended permit tcp any any eq 7001
access-list ININSIDE extended permit udp any any eq 7001
access-list ININSIDE extended permit udp any any eq discard
access-list ININSIDE extended permit tcp any any range 5000 65535
access-list ININSIDE extended permit udp any any range 5000 65535
access-list ININSIDE extended permit tcp any any eq 5061
access-list ININSIDE extended permit tcp any any eq 502
access-list ININSIDE extended permit icmp any any
access-list ININSIDE extended permit tcp any any eq domain
access-list ININSIDE extended permit ip 192.168.105.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list ININSIDE extended permit tcp any any eq imap4
access-list ININSIDE extended permit tcp any any eq 843

nat (inside,outside) source static 192.168.105.0_24 192.168.105.0_24 destination static 192.168.106.0_24 192.168.106.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static 192.168.105.0_24 192.168.105.0_24 destination static 192.168.107.0_24 192.168.107.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static 192.168.105.0_24 192.168.105.0_24 destination static 172.16.105.0_24 172.16.105.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static 192.168.105.0_24 192.168.105.0_24 destination static 192.168.255.0_24 192.168.255.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static 192.168.105.0_24 192.168.105.0_24 destination static 192.168.100.0_27 192.168.100.0_27 no-proxy-arp route-lookup
nat (inside,outside) source static 192.168.30.0_24 192.168.30.0_24 destination static 192.168.100.0_27 192.168.100.0_27 no-proxy-arp route-lookup
nat (inside,outside) source static 192.168.50.0_24 192.168.50.0_24 destination static 192.168.100.0_27 192.168.100.0_27 no-proxy-arp route-lookup
nat (inside,outside) source static 192.168.60.0_24 192.168.60.0_24 destination static 192.168.100.0_27 192.168.100.0_27 no-proxy-arp route-lookup
nat (inside,outside) source static 192.168.105.0_24 192.168.105.0_24 destination static 192.168.100.192_26 192.168.100.192_26 no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static NETWORK_OBJ_192.168.255.0_24 NETWORK_OBJ_192.168.255.0_24 no-proxy-arp route-lookup
nat (DMZ,outside) source static 172.16.105.0_24 172.16.105.0_24 destination static 192.168.105.0_24 192.168.105.0_24 no-proxy-arp route-lookup
nat (DMZ,outside) source static 172.16.105.0_24 172.16.105.0_24 destination static 192.168.255.0_24 192.168.255.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static 192.168.105.210 interface service TCP_3389 TCP_3389
nat (inside,outside) source static 192.168.105.220 interface service TCP_3389 TCP_6500
nat (inside,outside) source static 192.168.30.31 XX.XX.XX.149 service TCP_502 TCP_502
nat (inside,outside) source static 192.168.105.109 SMTP_PUBLIC service HTTP HTTP
nat (inside,outside) source static 192.168.105.109 SMTP_PUBLIC service HTTPS HTTPS
nat (inside,outside) source static 192.168.105.7 SMTP_PUBLIC service TCP_3389 TCP_6501
nat (DMZ,outside) source static 172.16.105.10 XX.XX.XX.150 service TCP_8000 TCP_8000

nat (DMZ,outside) source static 172.16.105.10 SMTP_PUBLIC service SMTP SMTP
nat (DMZ,outside) source dynamic SMTPGW-DMZ SMTP_PUBLIC
nat (inside,outside) source dynamic DIP_LAN interface
access-group outside_access_in in interface outside
access-group ININSIDE in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.148 1

http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 management

Mahesh,Telnet, even on port

Marvin Rhoads — Mon, 17 Mar 2014 18:13:16 GMT

Mahesh,

Telnet, even on port 443, is not a good test because the ASA does not allow telnet protocol into the lowest security level interface.

Please verify your have the 3DES-AES license active ("show ver | i AES") and that you have strong ciphers enabled ("show ssl"). For the latter we look for 3DES or AES ciphers to be among the enabled ones. If they are not, then enable them with "ssl encryption aes256-sha1 aes128-sha1 3des-sha1"

Hello Marvin, Thanks for the

pmahesh01 — Tue, 18 Mar 2014 05:20:37 GMT

Hello Marvin,

Thanks for the reply. I have verified the above and all required parametres areto be enabled.

SPI-FW# sho version | i AES
Encryption-3DES-AES : Enabled perpetual
SPI-FW# sh ssl
SPI-FW# sh ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: 3des-sha1 aes128-sha1
Disabled ciphers: des-sha1 rc4-md5 rc4-sha1 aes256-sha1 dhe-aes128-sha1 dhe-aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled

Below are some captures logs i have collected.

1: 08:50:47.525683(My Public) XX.XX.48.154.64514 >(ASA outside int) AA.BB.CC.145.443: S 1504497065:1504497065(0) win 8192 <mss 1452,nop,wscale 2,nop,nop,sackOK>
2: 08:50:47.525897 AA.BB.CC.145.443 > XX.XX.48.154.64514: S 3288262520:3288262520(0) ack 1504497066 win 32768 <mss 1452>
3: 08:50:47.531756 XX.XX.48.154.64514 > AA.BB.CC.145.443: R 1504497066:1504497066(0) win 0
4: 08:50:50.521350 XX.XX.48.154.64514 > AA.BB.CC.145.443: S 1504497065:1504497065(0) win 8192 <mss 1452,nop,wscale 2,nop,nop,sackOK>
5: 08:50:50.521503 AA.BB.CC.145.443 > XX.XX.48.154.64514: S 4268904558:4268904558(0) ack 1504497066 win 32768 <mss 1452>
6: 08:50:50.527377 XX.XX.48.154.64514 > AA.BB.CC.145.443: R 1504497066:1504497066(0) win 0
7: 08:50:56.521671 XX.XX.48.154.64514 > AA.BB.CC.145.443: S 1504497065:1504497065(0) win 8192 <mss 1452,nop,nop,sackOK>
8: 08:50:56.521793 AA.BB.CC.145.443 > XX.XX.48.154.64514: S 4276582576:4276582576(0) ack 1504497066 win 32768 <mss 1452>
9: 08:50:56.527423 XX.XX.48.154.64514 > AA.BB.CC.145.443: R 1504497066:1504497066(0) win 0

I see RESET being send immediatly after a SYS ACK. Not sure why this is happening, could there be some issue with my NAT which is causing this behaviour.

Mahesh,What address is SMTP

Marvin Rhoads — Tue, 18 Mar 2014 14:47:09 GMT

Mahesh,

What address is SMTP_PUBLIC using? Hopefully not the outside interface.

Hi Marvin, Just figured out

pmahesh01 — Wed, 19 Mar 2014 05:17:10 GMT

Hi Marvin,

Just figured out the issue, there were no problems in the ASA configurations. There is an ISP router where PBR is configured where web traffic is redirected to the ADSL line. Just had to add an exception in the access list to get the ASDM working. Thank you for your inputs.

Thanks for letting us know

Marvin Rhoads — Wed, 19 Mar 2014 13:18:53 GMT

Thanks for letting us know the resolution.