topic The best way to find out if in Network Security

ASA packet capture

jack samuel — Tue, 12 Mar 2019 08:17:07 GMT

Dears ,

Topology.

DMZ -Zone->>>ASA firewall>>>>>Internet router>>>>> ISP

Please find the attached files and please explain me from where the packets are getting dropped

I am trying to connect from a PC which is connected on internet router gig0/1 which is trying to access the OWA server through https OWA link , OWA is on DMZ zone of the firewall, GIG0/0 of internet router is connected to Firewall Outside interface and the OWA is static natted on the firewall with public ip address.

Router ADSL interface Public IP Address: 82.82.82.189

Static Natted OWA server: 200.200.200.200.

elaborating the connection how it is happening

PC has private ip address and a public DNS 8.8.8.8
pc request to OWA link https://abc.com , PC has a dns of 8.8.8.8 request goes out to DNS and replies come of OWA public IP address
OWA public ip address , firewall outside interface and Internet router internal interface all in same public ip subnet.
The page does not open on user PC.

is it the DNS doctoring has to be done for the static nat of the OWA server.???????

Thanks

The best way to find out if

Hozaifa Samad — Sun, 18 Sep 2016 03:02:20 GMT

The best way to find out if it's ASA issue or not using capture, is to run 2 capture commands. One on the inbound interface and one on the outbound. If traffic is working fine, you should see incoming & outgoing packets on both captures. If you see packets leaving but nothing is coming back, then it's not an ASA issue.

capture cap1 interface x match ip host a host b

capture cap2 interface y match ip host a host b

show cap cap1

show cap cap2

Dear Hozaifa,

jack samuel — Mon, 19 Sep 2016 20:07:10 GMT

Dear Hozaifa,

I have one doubt, when the reply goes back the packets will travel the outside interface so why we need to capture on both the interfaces. ???

thanks

Hi Jack,

Hozaifa Samad — Mon, 19 Sep 2016 20:17:43 GMT

Hi Jack,

I'm not clear on your question, but having captures on both interfaces will tell you if it's ASA or not ASA issue. For example if you see packing coming on inbound but not leaving outbound, then it's ASA issue. If packet coming on inbound, leaving the outbound but no return, then it's not ASA issue. Also, you can get a return on the outbound, but ASA doesn't send it back to the source, then it's ASA. Using 2 captures just to tell you what exactly is going on.