topic Is http://www.adhocdata.nl in Network Security

ASA5510 is blocking one specific website

Daniel Leonard — Tue, 12 Mar 2019 04:17:50 GMT

Hello everybody,

At the customer site, we have a ASA5510 (ASA version 9.1.2 - ASDM 7.2.1).

The problem is that there is only one particular website blocked, without any logic reason. According to the configuration we close no specific traffic. In fact; all traffic from that interface (higher security level) can go to the (WAN) interface with a lower security level.

ASA interface settings:

inside: 192.168.1.254/24 (local lan)
ts-data: 172.19.4.240/24 (another local LAN interface, used for traffic acrossing private WAN)
ts-inet: 83.167.X.X (this is the public internet connection

example:
From host 192.168.1.51(inside), the website http://www.adhocdata.nl could not be reached and is blocked by the ASA. The strange thing is, it seems to be blocked by the wrong interface/access-list (ts-data). This interface has nothing to do with it...because the traffic is initiated from the inside interface to the TS-inet (WAN)interface. So why is the wrong access list blocking only this specific website. All the other web traffic runs smoothly.

See attachment for log information.

Hopefully someone can help me.

Thanks in advance.

Is http://www.adhocdata.nl

Marius Gunnerud — Thu, 05 Jun 2014 10:43:12 GMT

Is http://www.adhocdata.nl your company website? if so is this server located behind your ASA in a DMZ?

Please rememebr to select a correct answer and rate helpful posts

No, that's a website that our

Daniel Leonard — Thu, 05 Jun 2014 11:03:59 GMT

No, that's a website that our customer wants to visit.

So your customer located off

Marius Gunnerud — Thu, 05 Jun 2014 11:07:57 GMT

So your customer located off TS-inet interface and the webserver is located off TS-data..correct?

Would you be able to post a full running config (sanitised)?

Please rememebr to select a correct answer and rate helpful posts

The customer host 192.168.1

Daniel Leonard — Thu, 05 Jun 2014 11:24:32 GMT

No not at all.

The customer host 192.168.1.51 (the host that wants to visit the website) is located behind the "inside" interface. Traffic to the web server goes through the interface "ts-inet" (the ts-inet interface is used as outside interface).

In short; the customer wants to visit that website. It's just an external website.

I'll see if I can post a config.

Here, the (stripped)

Daniel Leonard — Thu, 05 Jun 2014 12:21:19 GMT

Here, the (stripped) configuration.

at first glance there is

Marius Gunnerud — Thu, 05 Jun 2014 13:17:19 GMT

at first glance there is nothing wrong with the configuration.

If you do an nslookup adhocdata.nl from a local PC does it resolve to the correct IP (I got 217.119.236.139)

if you do a packet tracer on the ASA is the packet allowed through the ASA?

packet-tracer input inside tcp 192.168.1.2 12345 217.119.236.139 80 det

Please post the output here.

Please rememebr to select a correct answer and rate helpful posts

Thanks.. Here's the output

Daniel Leonard — Thu, 05 Jun 2014 13:23:03 GMT

Thanks.. Here's the output:

Result of the command: "packet-tracer input inside tcp 192.168.1.2 12345 217.119.236.139 80 det"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xace9dd78, priority=1, domain=permit, deny=false

hits=397248107, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=inside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 ts-inet

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_any-01

nat (inside,ts-inet) dynamic interface

Additional Information:

Dynamic translate 192.168.1.2/12345 to 123.45.67.89/12345

Forward Flow based lookup yields rule:

in id=0xacbfcf90, priority=6, domain=nat, deny=false

hits=436869, user_data=0xacbfb9c0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=inside, output_ifc=ts-inet

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xade28538, priority=1, domain=nat-per-session, deny=true

hits=4006169, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xacec54f0, priority=0, domain=inspect-ip-options, deny=true

hits=5013604, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xade28538, priority=1, domain=nat-per-session, deny=true

hits=4006171, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xacdf8498, priority=0, domain=inspect-ip-options, deny=true

hits=2507875, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=ts-inet, output_ifc=any

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 7467808, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: ts-inet

output-status: up

output-line-status: up

Action: allow

As per the packet tracer

Marius Gunnerud — Thu, 05 Jun 2014 13:25:31 GMT

As per the packet tracer traffic should be allowed through the ASA to that IP...This could be DNS resolution issue. Have you confirmed that the URL resolves to the correct IP?

Please rememebr to select a correct answer and rate helpful posts

The packet trace goes well ..

Daniel Leonard — Thu, 05 Jun 2014 13:26:58 GMT

The packet trace goes well ... it's strange that a different interface blocks the traffic to that website (see the previously posted picture).

yes, the right IP is the one

Daniel Leonard — Thu, 05 Jun 2014 13:39:52 GMT

yes, the right IP is the one you can see in the attached picture... Resolving looks good.

Are you sure there is no

Marius Gunnerud — Thu, 05 Jun 2014 13:43:43 GMT

Are you sure there is no backdoor into the ts-data network? Without knowing the in's and out's of your network, could there be a routing issue that is sending that traffic to the ts-data interface?

Please rememebr to select a correct answer and rate helpful posts

yes I'm sure of it...

Daniel Leonard — Thu, 05 Jun 2014 13:52:51 GMT

yes I'm sure of it...

I suggest opening a support

Marius Gunnerud — Thu, 05 Jun 2014 14:48:56 GMT

I suggest opening a support case with TAC.

Please rememebr to select a correct answer and rate helpful posts

I'd suggest trying a packet

Marvin Rhoads — Thu, 05 Jun 2014 14:55:22 GMT

I'd suggest trying a packet capture to show the outbound traffic going into and leaving the ASA and watching for any return traffic.

Please refer to this Step-By-Step Procedure to Configure Packet Capture in ASA/PIX using CLI and run the following while trying to access the website from 192.168.1.51:

access-list asdm_cap_selector_inside extended permit ip host 192.168.1.51 host 217.119.236.139 access-list asdm_cap_selector_inside extended permit ip host 217.119.236.139 host 192.168.1.51 access-list asdm_cap_selector_outside extended permit ip host 217.119.236.139 host 192.168.1.51 access-list asdm_cap_selector_outside extended permit ip host 192.168.1.51 host 217.119.236.139

capture capin interface inside access-list asdm_cap_selector_inside capture capout interface outside access-list asdm_cap_selector_outside

show capture capin show capture capout

That should definitively show whether the ASA is operating as intended.

Hi Marvin! This is the result

Daniel Leonard — Thu, 05 Jun 2014 15:17:13 GMT

Hi Marvin!

This is the result:

RSB-W-ASA# sh cap capin

12 packets captured

1: 16:19:53.285660 802.1Q vlan#99 P0 192.168.1.63.62575 > 217.119.236.139.80: S 2890204037:2890204037(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2: 16:19:53.289429 802.1Q vlan#99 P0 192.168.1.63.62576 > 217.119.236.139.80: S 3819549090:3819549090(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
3: 16:19:53.301253 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62575: R 59869520:59869520(0) ack 2890204038 win 8192
4: 16:19:53.304809 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62576: R 1539803214:1539803214(0) ack 3819549091 win 8192
5: 16:19:53.796620 802.1Q vlan#99 P0 192.168.1.63.62575 > 217.119.236.139.80: S 2890204037:2890204037(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
6: 16:19:53.796925 802.1Q vlan#99 P0 192.168.1.63.62576 > 217.119.236.139.80: S 3819549090:3819549090(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
7: 16:19:53.804813 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62576: R 1133326952:1133326952(0) ack 3819549091 win 8192
8: 16:19:53.804890 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62575: R 555211610:555211610(0) ack 2890204038 win 8192
9: 16:19:54.296768 802.1Q vlan#99 P0 192.168.1.63.62575 > 217.119.236.139.80: S 2890204037:2890204037(0) win 8192 <mss 1460,nop,nop,sackOK>
10: 16:19:54.297195 802.1Q vlan#99 P0 192.168.1.63.62576 > 217.119.236.139.80: S 3819549090:3819549090(0) win 8192 <mss 1460,nop,nop,sackOK>
11: 16:19:54.334775 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62575: R 786977574:786977574(0) ack 2890204038 win 8192
12: 16:19:54.334867 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62576: R 1027018004:1027018004(0) ack 3819549091 win 8192
12 packets shown
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA# sh cap capout

0 packet captured

0 packet shown
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#

I've used this captures:

RSB-W-ASA# show capture
capture capin type raw-data access-list asdm_cap_selector_inside interface inside [Capturing - 952 bytes]
capture capout type raw-data access-list asdm_cap_selector_outside interface ts-inet [Capturing - 0 bytes]
RSB-W-ASA#

hmm, I'm not sure what's

Marvin Rhoads — Thu, 05 Jun 2014 15:41:05 GMT

hmm, I'm not sure what's going on with capout but capin shows the return traffic from the web site headed back to the client PC

If you do the same capture

Marius Gunnerud — Fri, 06 Jun 2014 07:10:16 GMT

If you do the same capture but instead put the capout on the ts-data interface....

Please rememebr to select a correct answer and rate helpful posts

Hi,Here's the output. Is

Daniel Leonard — Fri, 06 Jun 2014 13:02:25 GMT

Hi,

Here's the output. Is looks like the ASA doesn't route the traffic through the ts-inet.. but why..

RSB-W-ASA# sh capture
capture capin type raw-data access-list asdm_cap_selector_inside interface inside [Capturing - 0 bytes]
capture capout type raw-data access-list asdm_cap_selector_outside interface ts-inet [Capturing - 0 bytes]
capture captsdata type raw-data access-list asdm_cap_selector_tsdata interface ts-data [Capturing - 0 bytes]
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA# sh capture
capture capin type raw-data access-list asdm_cap_selector_inside interface inside [Capturing - 952 bytes]
capture capout type raw-data access-list asdm_cap_selector_outside interface ts-inet [Capturing - 0 bytes]
capture captsdata type raw-data access-list asdm_cap_selector_tsdata interface ts-data [Capturing - 0 bytes]
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA# sh cap capin

12 packets captured

1: 14:06:57.274216 802.1Q vlan#99 P0 192.168.1.62.62520 > 217.119.236.139.80: S 2656530156:2656530156(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2: 14:06:57.274567 802.1Q vlan#99 P0 192.168.1.62.62521 > 217.119.236.139.80: S 3302571231:3302571231(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
3: 14:06:57.280792 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62520: R 907382114:907382114(0) ack 2656530157 win 8192
4: 14:06:57.281143 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62521: R 902039472:902039472(0) ack 3302571232 win 8192
5: 14:06:57.779714 802.1Q vlan#99 P0 192.168.1.62.62521 > 217.119.236.139.80: S 3302571231:3302571231(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
6: 14:06:57.780004 802.1Q vlan#99 P0 192.168.1.62.62520 > 217.119.236.139.80: S 2656530156:2656530156(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
7: 14:06:57.786244 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62521: R 188947886:188947886(0) ack 3302571232 win 8192
8: 14:06:57.786488 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62520: R 1985605340:1985605340(0) ack 2656530157 win 8192
9: 14:06:58.273942 802.1Q vlan#99 P0 192.168.1.62.62521 > 217.119.236.139.80: S 3302571231:3302571231(0) win 8192 <mss 1460,nop,nop,sackOK>
10: 14:06:58.274262 802.1Q vlan#99 P0 192.168.1.62.62520 > 217.119.236.139.80: S 2656530156:2656530156(0) win 8192 <mss 1460,nop,nop,sackOK>
11: 14:06:58.280609 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62521: R 1470588602:1470588602(0) ack 3302571232 win 8192
12: 14:06:58.280792 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62520: R 1896160456:1896160456(0) ack 2656530157 win 8192
12 packets shown
RSB-W-ASA#
RSB-W-ASA# sh cap capout

0 packet captured

0 packet shown

RSB-W-ASA# sh cap captsdata

0 packet captured

0 packet shown
RSB-W-ASA#

It seems that all public IP

Daniel Leonard — Fri, 06 Jun 2014 13:38:56 GMT

It seems that all public IP addresses that start with 217.119.x.x give problems. IP addresses starting with 217.118.x.x or 217.120 give no problems..