topic Attached the defautl in Network Security

I can ping sites but not browse the Internet

servicioit — Tue, 12 Mar 2019 09:19:19 GMT

Hi,

I have an ASA 5505 and I can ping to 8.8.8.8 and ping to any sites like www.google.es, but I cannot browse the internet

In the log I can see:

Deny TCP (no connection) from 192.168.1.199/49364 to 62.128.100.161/443 flags RST on interface outside

Thanks in advance.

This is my configuration:

names
!
interface Ethernet0/0
switchport access vlan 100
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.100.200 255.255.0.0
!
interface Vlan100
nameif outside
security-level 0
ip address 192.168.1.200 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object udp
service-object tcp
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object udp
service-object tcp
service-object tcp destination eq www
service-object tcp destination eq https
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any any
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (outside,inside) dynamic interface
access-group inside_access_in_1 in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 172.20.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 172.20.100.204-172.20.101.75 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:965268bd0f8d4c4741847c9ad301c635
: end

I am by no means an ASA Guru

Ricky Sandhu — Thu, 04 May 2017 16:10:42 GMT

I am by no means an ASA Guru but shouldn't you be inspecting HTTP traffic? Or does it automatically get matched as part of the class-map inspection_default?

Attached the defautl

servicioit — Thu, 04 May 2017 16:31:54 GMT

Attached the defautl inspections

Your NAT interfaces are

Collin Clark — Thu, 04 May 2017 17:28:10 GMT

Your NAT interfaces are backwards. Should be

object network obj_any
nat (inside,outside) dynamic interface

You can and should remove the ACL applied ot the outside interface. The ASA is stateful and will create pinholes back in to allow traffic.

You can see where it is failing with the following command-

packet-tracer input inside tcp 172.20.100.5 3943 8.8.8.8 80 detail

I need the ACL from outside

servicioit — Thu, 04 May 2017 19:04:46 GMT

I need the ACL from outside to inside because I need to reach a captive portal on 172.20.100.2 from 192.168.1.99 (computer)

So I reach this captive portal but I cannot surf internet after I authenticate succesfully in the captive portal although I can ping www.google.es after authenticate

do you have any ideas?

Thanks

If i understand the topology

Akhil.Balachandran — Thu, 04 May 2017 19:33:32 GMT

If i understand the topology correct, you have a user (192.168.1.199) on the outside, who is being authenticated VIA captive portal using an internal machine(172.20.100.2) for internet access. Please correct me if i am wrong.

Do you see the initial authentication connection from the .119 machine to .2 on the ASA ? Run the command " show conn | in 172.20.100.2 ".

Do the internal subnet 172.20.0.0/16 have issue accessing the internet ?

Run the below capture command on the outside interface:

capture out interface outside match icmp any host 8.8.8.8

initiate ping to 8.8.8.8 after the user is authenticated and take the output of

show capture out

Also, please paste the logs prior to the Deny (No TCP connection)

Regards

Akhil

Hi Akhil.

servicioit — Fri, 05 May 2017 10:23:52 GMT

Hi Akhil.

Thanks for your help.

You are right. My user is on 192.168.1.199 Gw 192.168.1.200 and my captive portal is on 172.20.100.2 and my asa interface inside is on 172.20.100.200/16 and my interface outside is on 192.168.1.200/24

Do you see the initial authentication connection from the .119 machine to .2 on the ASA ? Run the command " show conn | in 172.20.100.2 ".

If I run sh con

UDP outside 8.8.8.8:53 outside 192.168.1.199:58282, idle 0:00:27, bytes 30, flags -
UDP outside 8.8.8.8:53 outside 192.168.1.199:60564, idle 0:00:27, bytes 30, flags -
UDP outside 8.8.8.8:53 outside 192.168.1.199:55531, idle 0:00:27, bytes 30, flags -
UDP outside 8.8.8.8:53 outside 192.168.1.199:58089, idle 0:00:27, bytes 30, flags -
UDP outside 8.8.8.8:53 outside 192.168.1.199:51813, idle 0:00:27, bytes 30, flags -
UDP outside 8.8.8.8:53 outside 192.168.1.199:64212, idle 0:00:28, bytes 41, flags -
UDP outside 8.8.8.8:53 outside 192.168.1.199:57634, idle 0:00:31, bytes 29, flags -
UDP outside 8.8.8.8:53 outside 192.168.1.199:64760, idle 0:00:31, bytes 32, flags -
TCP outside 172.20.100.200(192.168.1.199):65069 inside 172.20.100.2:8880, idle 0:00:18, bytes 3007, flags UfrxIOB
TCP outside 172.20.100.200(192.168.1.199):65040 inside 172.20.0.122:13000, idle 0:03:38, bytes 423463, flags UxIOB

Do the internal subnet 172.20.0.0/16 have issue accessing the internet

Yes, this is my problem. The internal subnet (172.20.0.0/16) cannot acces to the internet

initiate ping to 8.8.8.8 after the user is authenticated and take the output of

show capture out

ciscoasa# show capture out

12 packets captured

   1: 00:00:36.174475       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   2: 00:00:36.174673       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   3: 00:00:37.174032       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   4: 00:00:37.174063       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   5: 00:00:38.172308       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   6: 00:00:38.172339       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   7: 00:00:39.170080       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   8: 00:00:39.170111       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   9: 00:00:50.669505       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
10: 00:00:50.669719       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
11: 00:00:51.663112       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
12: 00:00:51.663143       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
12 packets shown

please paste the logs prior to the Deny (No TCP connection)

4|May 05 2017|00:04:41|733100|||||[ Scanning] drop rate-2 exceeded. Current burst rate is 3 per second, max configured rate is 8; Current average rate is 50 per second, max configured rate is 4; Cumulative total count is 180400
4|May 05 2017|00:04:41|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 23 per second, max configured rate is 10; Current average rate is 50 per second, max configured rate is 5; Cumulative total count is 30222
6|May 05 2017|00:04:27|302014|192.168.1.199|65160|193.110.128.109|80|Teardown TCP connection 34951 for outside:192.168.1.199/65160 to outside:193.110.128.109/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:27|302013|192.168.1.199|65160|193.110.128.109|80|Built inbound TCP connection 34951 for outside:192.168.1.199/65160 (192.168.1.199/65160) to outside:193.110.128.109/80 (193.110.128.109/80)
6|May 05 2017|00:04:25|106015|192.168.1.199|65160|193.110.128.109|80|Deny TCP (no connection) from 192.168.1.199/65160 to 193.110.128.109/80 flags RST on interface outside
6|May 05 2017|00:04:21|106015|192.168.1.199|65160|193.110.128.109|80|Deny TCP (no connection) from 192.168.1.199/65160 to 193.110.128.109/80 flags RST on interface outside
4|May 05 2017|00:04:21|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 22 per second, max configured rate is 10; Current average rate is 50 per second, max configured rate is 5; Cumulative total count is 30237
6|May 05 2017|00:04:21|302014|192.168.1.199|65160|193.110.128.109|80|Teardown TCP connection 34950 for outside:192.168.1.199/65160 to outside:193.110.128.109/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:21|302013|192.168.1.199|65160|193.110.128.109|80|Built inbound TCP connection 34950 for outside:192.168.1.199/65160 (192.168.1.199/65160) to outside:193.110.128.109/80 (193.110.128.109/80)
6|May 05 2017|00:04:20|106015|192.168.1.199|65158|195.122.177.165|443|Deny TCP (no connection) from 192.168.1.199/65158 to 195.122.177.165/443 flags RST on interface outside
6|May 05 2017|00:04:19|106015|192.168.1.199|65160|193.110.128.109|80|Deny TCP (no connection) from 192.168.1.199/65160 to 193.110.128.109/80 flags RST on interface outside
6|May 05 2017|00:04:18|302014|192.168.1.199|65160|193.110.128.109|80|Teardown TCP connection 34949 for outside:192.168.1.199/65160 to outside:193.110.128.109/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:18|302013|192.168.1.199|65160|193.110.128.109|80|Built inbound TCP connection 34949 for outside:192.168.1.199/65160 (192.168.1.199/65160) to outside:193.110.128.109/80 (193.110.128.109/80)
6|May 05 2017|00:04:17|106015|192.168.1.199|65158|195.122.177.165|443|Deny TCP (no connection) from 192.168.1.199/65158 to 195.122.177.165/443 flags RST on interface outside
6|May 05 2017|00:04:15|106015|192.168.1.199|65157|195.122.177.147|443|Deny TCP (no connection) from 192.168.1.199/65157 to 195.122.177.147/443 flags RST on interface outside
6|May 05 2017|00:04:14|106015|192.168.1.199|65158|195.122.177.165|443|Deny TCP (no connection) from 192.168.1.199/65158 to 195.122.177.165/443 flags RST on interface outside
6|May 05 2017|00:04:12|106015|192.168.1.199|65157|195.122.177.147|443|Deny TCP (no connection) from 192.168.1.199/65157 to 195.122.177.147/443 flags RST on interface outside
6|May 05 2017|00:04:11|106015|192.168.1.199|65158|195.122.177.165|443|Deny TCP (no connection) from 192.168.1.199/65158 to 195.122.177.165/443 flags RST on interface outside
6|May 05 2017|00:04:11|302014|192.168.1.199|65158|195.122.177.165|443|Teardown TCP connection 34948 for outside:192.168.1.199/65158 to outside:195.122.177.165/443 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:11|302013|192.168.1.199|65158|195.122.177.165|443|Built inbound TCP connection 34948 for outside:192.168.1.199/65158 (192.168.1.199/65158) to outside:195.122.177.165/443 (195.122.177.165/443)
6|May 05 2017|00:04:09|106015|192.168.1.199|65157|195.122.177.147|443|Deny TCP (no connection) from 192.168.1.199/65157 to 195.122.177.147/443 flags RST on interface outside
6|May 05 2017|00:04:08|106015|192.168.1.199|65158|195.122.177.165|443|Deny TCP (no connection) from 192.168.1.199/65158 to 195.122.177.165/443 flags RST on interface outside
6|May 05 2017|00:04:06|302014|192.168.1.199|65157|195.122.177.147|443|Teardown TCP connection 34943 for outside:192.168.1.199/65157 to outside:195.122.177.147/443 duration 0:00:09 bytes 0 TCP Reset-O
6|May 05 2017|00:04:06|302014|192.168.1.199|65156|193.110.128.109|80|Teardown TCP connection 34947 for outside:192.168.1.199/65156 to outside:193.110.128.109/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:06|302013|192.168.1.199|65156|193.110.128.109|80|Built inbound TCP connection 34947 for outside:192.168.1.199/65156 (192.168.1.199/65156) to outside:193.110.128.109/80 (193.110.128.109/80)
6|May 05 2017|00:04:05|106015|192.168.1.199|65158|195.122.177.165|443|Deny TCP (no connection) from 192.168.1.199/65158 to 195.122.177.165/443 flags RST on interface outside
6|May 05 2017|00:04:05|302014|192.168.1.199|65158|195.122.177.165|443|Teardown TCP connection 34946 for outside:192.168.1.199/65158 to outside:195.122.177.165/443 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:05|302013|192.168.1.199|65158|195.122.177.165|443|Built inbound TCP connection 34946 for outside:192.168.1.199/65158 (192.168.1.199/65158) to outside:195.122.177.165/443 (195.122.177.165/443)
6|May 05 2017|00:04:02|302014|192.168.1.199|65158|195.122.177.165|443|Teardown TCP connection 34945 for outside:192.168.1.199/65158 to outside:195.122.177.165/443 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:02|302013|192.168.1.199|65158|195.122.177.165|443|Built inbound TCP connection 34945 for outside:192.168.1.199/65158 (192.168.1.199/65158) to outside:195.122.177.165/443 (195.122.177.165/443)
4|May 05 2017|00:04:01|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 26 per second, max configured rate is 10; Current average rate is 50 per second, max configured rate is 5; Cumulative total count is 30172
6|May 05 2017|00:04:00|106015|192.168.1.199|65156|193.110.128.109|80|Deny TCP (no connection) from 192.168.1.199/65156 to 193.110.128.109/80 flags RST on interface outside
6|May 05 2017|00:04:00|302014|192.168.1.199|65156|193.110.128.109|80|Teardown TCP connection 34944 for outside:192.168.1.199/65156 to outside:193.110.128.109/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:00|302013|192.168.1.199|65156|193.110.128.109|80|Built inbound TCP connection 34944 for outside:192.168.1.199/65156 (192.168.1.199/65156) to outside:193.110.128.109/80 (193.110.128.109/80)
6|May 05 2017|00:03:58|106015|192.168.1.199|65156|193.110.128.109|80|Deny TCP (no connection) from 192.168.1.199/65156 to 193.110.128.109/80 flags RST on interface outside
6|May 05 2017|00:03:57|302014|192.168.1.199|65156|193.110.128.109|80|Teardown TCP connection 34942 for outside:192.168.1.199/65156 to outside:193.110.128.109/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:03:57|302013|192.168.1.199|65157|195.122.177.147|443|Built inbound TCP connection 34943 for outside:192.168.1.199/65157 (192.168.1.199/65157) to outside:195.122.177.147/443 (195.122.177.147/443)
6|May 05 2017|00:03:57|302013|192.168.1.199|65156|193.110.128.109|80|Built inbound TCP connection 34942 for outside:192.168.1.199/65156 (192.168.1.199/65156) to outside:193.110.128.109/80 (193.110.128.109/80)
6|May 05 2017|00:03:56|305012|192.168.1.199|65147|172.20.100.200|65147|Teardown dynamic TCP translation from outside:192.168.1.199/65147 to inside:172.20.100.200/65147 duration 0:00:06
6|May 05 2017|00:03:56|302014|192.168.1.199|65147|172.20.100.2|8880|Teardown TCP connection 34940 for outside:192.168.1.199/65147 to inside:172.20.100.2/8880 duration 0:00:06 bytes 2194 TCP FINs
6|May 05 2017|00:03:56|302013|192.168.1.199|65150|172.20.100.2|8880|Built inbound TCP connection 34941 for outside:192.168.1.199/65150 (172.20.100.200/65150) to inside:172.20.100.2/8880 (172.20.100.2/8880)
6|May 05 2017|00:03:56|305011|192.168.1.199|65150|172.20.100.200|65150|Built dynamic TCP translation from outside:192.168.1.199/65150 to inside:172.20.100.200/65150
6|May 05 2017|00:03:50|302013|192.168.1.199|65147|172.20.100.2|8880|Built inbound TCP connection 34940 for outside:192.168.1.199/65147 (172.20.100.200/65147) to inside:172.20.100.2/8880 (172.20.100.2/8880)
6|May 05 2017|00:03:50|305011|192.168.1.199|65147|172.20.100.200|65147|Built dynamic TCP translation from outside:192.168.1.199/65147 to inside:172.20.100.200/65147
6|May 05 2017|00:03:49|302015|192.168.1.199|55720|8.8.8.8|53|Built inbound UDP connection 34939 for outside:192.168.1.199/55720 (192.168.1.199/55720) to outside:8.8.8.8/53 (8.8.8.8/53)
6|May 05 2017|00:03:49|302015|192.168.1.199|59800|8.8.8.8|53|Built inbound UDP connection 34938 for outside:192.168.1.199/59800 (192.168.1.199/59800) to outside:8.8.8.8/53 (8.8.8.8/53)
6|May 05 2017|00:03:49|302015|192.168.1.199|53363|8.8.8.8|53|Built inbound UDP connection 34937 for outside:192.168.1.199/53363 (192.168.1.199/53363) to outside:8.8.8.8/53 (8.8.8.8/53)
6|May 05 2017|00:03:49|302015|192.168.1.199|54153|8.8.8.8|53|Built inbound UDP connection 34936 for outside:192.168.1.199/54153 (192.168.1.199/54153) to outside:8.8.8.8/53 (8.8.8.8/53)
6|May 05 2017|00:03:42|302014|192.168.1.199|65124|13.107.5.80|80|Teardown TCP connection 34921 for outside:192.168.1.199/65124 to outside:13.107.5.80/80 duration 0:00:30 bytes 0 SYN Timeout
4|May 05 2017|00:03:41|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 25 per second, max configured rate is 10; Current average rate is 50 per second, max configured rate is 5; Cumulative total count is 30193
6|May 05 2017|00:03:41|302014|172.20.100.2|59304|172.20.100.200|443|Teardown TCP connection 34928 for inside:172.20.100.2/59304 to identity:172.20.100.200/443 duration 0:00:26 bytes 595 TCP FINs
6|May 05 2017|00:03:41|302014|172.20.100.2|59308|172.20.100.200|443|Teardown TCP connection 34930 for inside:172.20.100.2/59308 to identity:172.20.100.200/443 duration 0:00:26 bytes 441 TCP FINs
6|May 05 2017|00:03:41|302014|172.20.100.2|59310|172.20.100.200|443|Teardown TCP connection 34931 for inside:172.20.100.2/59310 to identity:172.20.100.200/443 duration 0:00:26 bytes 579 TCP FINs
4|May 05 2017|00:03:21|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 26 per second, max configured rate is 10; Current average rate is 50 per second, max configured rate is 5; Cumulative total count is 30167
6|May 05 2017|00:03:18|305012|192.168.1.199|65132|172.20.100.200|65132|Teardown dynamic TCP translation from outside:192.168.1.199/65132 to inside:172.20.100.200/65132 duration 0:00:00
6|May 05 2017|00:03:18|302014|192.168.1.199|65132|172.20.0.122|13000|Teardown TCP connection 34935 for outside:192.168.1.199/65132 to inside:172.20.0.122/13000 duration 0:00:00 bytes 17680 TCP FINs
6|May 05 2017|00:03:18|302013|192.168.1.199|65132|172.20.0.122|13000|Built inbound TCP connection 34935 for outside:192.168.1.199/65132 (172.20.100.200/65132) to inside:172.20.0.122/13000 (172.20.0.122/13000)
6|May 05 2017|00:03:18|305011|192.168.1.199|65132|172.20.100.200|65132|Built dynamic TCP translation from outside:192.168.1.199/65132 to inside:172.20.100.200/65132
6|May 05 2017|00:03:16|305012|192.168.1.199|65131|172.20.100.200|65131|Teardown dynamic TCP translation from outside:192.168.1.199/65131 to inside:172.20.100.200/65131 duration 0:00:00
6|May 05 2017|00:03:16|302014|192.168.1.199|65131|172.20.0.122|13000|Teardown TCP connection 34934 for outside:192.168.1.199/65131 to inside:172.20.0.122/13000 duration 0:00:00 bytes 0 TCP FINs
6|May 05 2017|00:03:16|302013|192.168.1.199|65131|172.20.0.122|13000|Built inbound TCP connection 34934 for outside:192.168.1.199/65131 (172.20.100.200/65131) to inside:172.20.0.122/13000 (172.20.0.122/13000)
6|May 05 2017|00:03:16|305011|192.168.1.199|65131|172.20.100.200|65131|Built dynamic TCP translation from outside:192.168.1.199/65131 to inside:172.20.100.200/65131
6|May 05 2017|00:03:14|302015|192.168.1.199|64843|8.8.8.8|53|Built inbound UDP connection 34933 for outside:192.168.1.199/64843 (192.168.1.199/64843) to outside:8.8.8.8/53 (8.8.8.8/53)
6|May 05 2017|00:03:14|106015|172.20.100.2|59314|172.20.100.200|443|Deny TCP (no connection) from 172.20.100.2/59314 to 172.20.100.200/443 flags FIN ACK on interface inside
6|May 05 2017|00:03:14|302014|172.20.100.2|59314|172.20.100.200|443|Teardown TCP connection 34932 for inside:172.20.100.2/59314 to identity:172.20.100.200/443 duration 0:00:00 bytes 1465 TCP Reset-O
6|May 05 2017|00:03:14|725007|172.20.100.2|59314|||SSL session with client inside:172.20.100.2/59314 terminated.
6|May 05 2017|00:03:14|605005|172.20.100.2|59314|172.20.100.200|https|Login permitted from 172.20.100.2/59314 to inside:172.20.100.200/https for user "enable_15"
6|May 05 2017|00:03:14|725002|172.20.100.2|59314|||Device completed SSL handshake with client inside:172.20.100.2/59314
6|May 05 2017|00:03:14|725003|172.20.100.2|59314|||SSL client inside:172.20.100.2/59314 request to resume previous session.
6|May 05 2017|00:03:14|725001|172.20.100.2|59314|||Starting SSL handshake with client inside:172.20.100.2/59314 for TLS session.
6|May 05 2017|00:03:14|302013|172.20.100.2|59314|172.20.100.200|443|Built inbound TCP connection 34932 for inside:172.20.100.2/59314 (172.20.100.2/59314) to identity:172.20.100.200/443 (172.20.100.200/443)
6|May 05 2017|00:03:14|725007|172.20.100.2|59310|||SSL session with client inside:172.20.100.2/59310 terminated.
6|May 05 2017|00:03:14|605005|172.20.100.2|59310|172.20.100.200|https|Login permitted from 172.20.100.2/59310 to inside:172.20.100.200/https for user "enable_15"
6|May 05 2017|00:03:14|725002|172.20.100.2|59310|||Device completed SSL handshake with client inside:172.20.100.2/59310
6|May 05 2017|00:03:14|725003|172.20.100.2|59310|||SSL client inside:172.20.100.2/59310 request to resume previous session.
6|May 05 2017|00:03:14|725001|172.20.100.2|59310|||Starting SSL handshake with client inside:172.20.100.2/59310 for TLS session.
6|May 05 2017|00:03:14|725007|172.20.100.2|59308|||SSL session with client inside:172.20.100.2/59308 terminated.
6|May 05 2017|00:03:14|302013|172.20.100.2|59310|172.20.100.200|443|Built inbound TCP connection 34931 for inside:172.20.100.2/59310 (172.20.100.2/59310) to identity:172.20.100.200/443 (172.20.100.200/443)
6|May 05 2017|00:03:14|605005|172.20.100.2|59308|172.20.100.200|https|Login permitted from 172.20.100.2/59308 to inside:172.20.100.200/https for user "enable_15"
6|May 05 2017|00:03:14|725002|172.20.100.2|59308|||Device completed SSL handshake with client inside:172.20.100.2/59308
6|May 05 2017|00:03:14|725003|172.20.100.2|59308|||SSL client inside:172.20.100.2/59308 request to resume previous session.
6|May 05 2017|00:03:14|725001|172.20.100.2|59308|||Starting SSL handshake with client inside:172.20.100.2/59308 for TLS session.
6|May 05 2017|00:03:14|725007|172.20.100.2|59306|||SSL session with client inside:172.20.100.2/59306 terminated.
6|May 05 2017|00:03:14|302013|172.20.100.2|59308|172.20.100.200|443|Built inbound TCP connection 34930 for inside:172.20.100.2/59308 (172.20.100.2/59308) to identity:172.20.100.200/443 (172.20.100.200/443)
6|May 05 2017|00:03:14|106015|172.20.100.2|59306|172.20.100.200|443|Deny TCP (no connection) from 172.20.100.2/59306 to 172.20.100.200/443 flags FIN ACK on interface inside
6|May 05 2017|00:03:14|302014|172.20.100.2|59306|172.20.100.200|443|Teardown TCP connection 34929 for inside:172.20.100.2/59306 to identity:172.20.100.200/443 duration 0:00:00 bytes 393 TCP Reset-O
5|May 05 2017|00:03:14|111010|||||User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'dir disk0:/dap.xml'
5|May 05 2017|00:03:14|111008|||||User 'enable_15' executed the 'dir disk0:/dap.xml' command.
6|May 05 2017|00:03:14|605005|172.20.100.2|59306|172.20.100.200|https|Login permitted from 172.20.100.2/59306 to inside:172.20.100.200/https for user "enable_15"
6|May 05 2017|00:03:14|725002|172.20.100.2|59306|||Device completed SSL handshake with client inside:172.20.100.2/59306
6|May 05 2017|00:03:14|725003|172.20.100.2|59306|||SSL client inside:172.20.100.2/59306 request to resume previous session.
6|May 05 2017|00:03:14|725001|172.20.100.2|59306|||Starting SSL handshake with client inside:172.20.100.2/59306 for TLS session.
6|May 05 2017|00:03:14|725007|172.20.100.2|59304|||SSL session with client inside:172.20.100.2/59304 terminated.
6|May 05 2017|00:03:14|302013|172.20.100.2|59306|172.20.100.200|443|Built inbound TCP connection 34929 for inside:172.20.100.2/59306 (172.20.100.2/59306) to identity:172.20.100.200/443 (172.20.100.200/443)
6|May 05 2017|00:03:14|605005|172.20.100.2|59304|172.20.100.200|https|Login permitted from 172.20.100.2/59304 to inside:172.20.100.200/https for user "enable_15"
6|May 05 2017|00:03:14|725002|172.20.100.2|59304|||Device completed SSL handshake with client inside:172.20.100.2/59304
6|May 05 2017|00:03:14|302014|172.20.100.2|59302|172.20.100.200|443|Teardown TCP connection 34927 for inside:172.20.100.2/59302 to identity:172.20.100.200/443 duration 0:00:00 bytes 10070 TCP Reset-O
6|May 05 2017|00:03:14|725003|172.20.100.2|59304|||SSL client inside:172.20.100.2/59304 request to resume previous session.
6|May 05 2017|00:03:14|725001|172.20.100.2|59304|||Starting SSL handshake with client inside:172.20.100.2/59304 for TLS session.
6|May 05 2017|00:03:14|725007|172.20.100.2|59302|||SSL session with client inside:172.20.100.2/59302 terminated.

Thanks for the output.

Akhil.Balachandran — Fri, 05 May 2017 12:24:22 GMT

Thanks for the output.

From the captures, i see that the echo request is going out, but there is no echo reply seen on the ASA. From the earlier post ,i believe the pings work.

This looks like an issue with asymmetric routing. Ideally, the ASA should have seen both the echo request and echo reply.But in this case, AsA is only seeing the echo request, but the pings still succeeds which proves that there might be some asymmetric routing, where in the upstream device is sending the traffic directly over to the host machine, instead of sending it VIA the ASA.

The reason, the pings works is because it is a stateless connection, ASA does not keep track of ICMP connection (this can be changed by enabling icmp inspection). However, TCP connection is stateful, ASA has to see the full flow (SYN,SYNACK, ACK) to built a connection successfully.

Logs TCP connections when the .199 machine tries to go out to the internet, but it times out, probably because there is no reply coming back to the ASA

0|Teardown TCP connection 34921 for outside:192.168.1.199/65124 to outside:13.107.5.80/80 duration 0:00:30 bytes 0 SYN Timeout

Try the below Nat statements and let me know if it works,

Object network obj_172.16
subnet 172.20.0.0 255.255.0.0
nat (inside,outside) dynamic interface

object network obj_192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (outside,outside) dynamic interface.

The 192.168.1.0 nat is to check if the reply traffic is sent back to the ASA instead of the machine 192.168.1.199

Regards

Akhil

Hi Akhil

servicioit — Fri, 05 May 2017 13:56:04 GMT

Hi Akhil

Thanks for your response.

I put your two rules and the portal captive is not reachable now.

So, I change the first nat rule from inside to inside and everything works OK.

Now, I deleted my old nat rule from inside to outside and everytihing is still working.

I don't understand why, but with these new rules I can reach captive portal and I can authenticate and I can surf to the Internet. Just what I needed......

object network obj_172.16
nat (inside,inside) dynamic interface
object network obj_192.168.1.0
nat (outside,outside) dynamic interface

Do you thing this configuration is correct?

Thanks a lot....

Hi

Akhil.Balachandran — Mon, 08 May 2017 12:54:48 GMT

That's strange. Can you remove the Nat (inside, inside) and let me know if everything still works.

I dont see a reason why you require the inside, inside nat. Is there any traffic hair pining or on the inside interface ?

Regards

Akhil