Cant Access epson.com via ASA

dale.summers — Tue, 12 Mar 2019 04:34:54 GMT

This is an odd one and i'm really confused. I'm hoping someone in the community can assist. I installed an ASA 5510 on our network to replace an old AdTran. The ASA has been up for a few months now with no issues. All of the sudden we can no longer access epson.com. I have no issues with nsloopup, tracert, icmp, back to epson.com

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside-fios

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 192.168.254.0 255.255.255.0
match ip inside 192.168.254.0 255.255.255.0 outside-fios any
dynamic translation to pool 1 (72.75.xxx.xxx [Interface PAT])
translate_hits = 55089, untranslate_hits = 6539
Additional Information:
Dynamic translate 192.168.254.145/80 to 72.75.xxx.xxx/416 using netmask 255.255.255.255

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 192.168.254.0 255.255.255.0
match ip inside 192.168.254.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 6

Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 128290, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside-fios
output-status: up
output-line-status: up
Action: allow

ASA5510(config)#

Hi, So are you saying that

Jouni Forss — Tue, 05 Aug 2014 20:31:17 GMT

Hi,

So are you saying that the connectivity to the mentioned site worked just fine with the ASA and then suddenly stopped working? It would seem strange that the ASA would have anything to do with this.

I guess I would personally first use the "nslookup" to determine the IP address to which the host is connecting and monitor that IP address through the ASDM of the ASA. I guess it might be required also that you simply monitor connections formed from your test host through the ASDM. You could them monitor the TCP connection "Teardown" messages and see what the reason for the "Teardown" is. If its TCP FINs then it refers to normal connection close sequence. If its SYN Timeout then it means that the TCP connection opening sequence didnt go through and the most usual reason is that the remote host does not reply or some other device in between blocks this. The result might also be TCP Reset-O or TCP Reset-I which are resets either from the less secure or more secure interface (inside/outside determine by the "security-level" value) Though the resets might be a bit harder to troubleshoot as you see them normally in browser based traffic.

I guess this point I would perhaps try using different computers and browsers to test and also see that no software on the actual host could affect this. I doubt that there is any web filtering in use that you would not know about that could cause this?

But as I said the ASDM real time logs should give us some idea on what the problem is.

You can also take a traffic capture on the ASA on its internal interface and perhaps on the external interface too to confirm if there is any return traffic from the remote host (server) coming to your ASA.

If you want to configure traffic capture on the ASA you can use the following configurations

access-list EPSON-EXT-CAP permit ip host <your external pat ip> host <epson.com ip>
access-list EPSON-EXT-CAP permit ip host <epson.com ip> host <your external pat ip>

access-list EPSON-INT-CAP permit ip host <your internal host ip> host <epson.com ip>
access-list EPSON-INT-CAP permit ip host <epson.com ip> host <your internal host ip>

capture EPSON-EXT-CAP type raw-data packet-length 1522 access-list EPSON-EXT-CAP interface outside-fios buffer 33500000 circular-buffer

capture EPSON-INT-CAP type raw-data packet-length 1522 access-list EPSON-INT-CAP interface inside buffer 33500000 circular-buffer

With regards to the above "access-list" and "capture" configurations I would like to stress the following points

The ACL tells what traffic to capture. So if there are multiple destination IP addresses or subnets then you can add ACL line for them too in the same ACL. You can also narrow down the "permit ip" to "permit tcp" etc.
The configuration using the EXT ACL will catch any users traffic in this case as you we are capturing traffic from a Dynamic PAT IP address which all uses shar. That makes it more viable to use the capture in the internal IP address if there is a lot of users trying to access that destination IP address. But it might be good to take the EXT capture anyway.
In the capture configuraitons I have configured almost the maximum buffer memory for the capture. You can use a lower value if needed/required.

To view if any traffic has been capture you can use the command

show capture

To view the capture on the CLI you can use the command

show capture <capture name>

To copy the capture to your computer with TFTP you can use the command

copy /pcap capture:<capture name> tftp://<host ip>/filename.pcap

You can then open the capture file on your computer with Wireshark for easier troubleshooting.

You can remove the captures (and their data) with the command

no capture <capture name>

You will have to remove the created ACLs separately.

Hope this helps 🙂

- Jouni

topic Hi, So are you saying that in Network Security

Cant Access epson.com via ASA

Hi, So are you saying that