topic Unable to access website in Network Security

Unable to access website

mahesh18 — Tue, 12 Mar 2019 02:25:24 GMT

Hi Everyone,

I am trying to access url below here are fw logs from home ASA

Aug 13 2013 20:18:41: %ASA-6-305011: Built dynamic TCP translation from DMZ:192.168.70.3/1360 to outside:192.168.71.2/1360

Aug 13 2013 20:18:41: %ASA-6-302013: Built outbound TCP connection 17717 for outside:140.98.193.112/80 (140.98.193.112/80) to DMZ:192.168.70.3/1360 (192.168.71.2/1360)

Aug 13 2013 20:18:41: %ASA-5-304001: 192.168.70.3 Accessed URL 140.98.193.112:http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=01162058&url=http%3A%2F%2Fieeexplore.ieee.org%2Fstamp%2Fstamp.jsp%3Farnumber%3D01162058

Aug 13 2013 20:18:41: %ASA-6-305011: Built dynamic TCP translation from DMZ:192.168.70.3/1361 to outside:192.168.71.2/1361

Aug 13 2013 20:18:41: %ASA-6-302013: Built outbound TCP connection 17718 for outside:140.98.193.169/80 (140.98.193.169/80) to DMZ:192.168.70.3/1361 (192.168.71.2/1361)

Aug 13 2013 20:18:41: %ASA-6-305011: Built dynamic TCP translation from DMZ:192.168.70.3/1362 to outside:192.168.71.2/1362

Aug 13 2013 20:18:41: %ASA-6-302013: Built outbound TCP connection 17719 for outside:208.92.236.82/80 (208.92.236.82/80) to DMZ:192.168.70.3/1362 (192.168.71.2/1362)

Aug 13 2013 20:18:41: %ASA-6-305011: Built dynamic TCP translation from DMZ:192.168.70.3/1363 to outside:192.168.71.2/1363

Aug 13 2013 20:18:41: %ASA-6-302013: Built outbound TCP connection 17720 for outside:140.98.193.169/80 (140.98.193.169/80) to DMZ:192.168.70.3/1363 (192.168.71.2/1363)

Aug 13 2013 20:18:41: %ASA-6-305011: Built dynamic TCP translation from DMZ:192.168.70.3/1364 to outside:192.168.71.2/1364

Aug 13 2013 20:18:41: %ASA-6-302013: Built outbound TCP connection 17721 for outside:140.98.193.112/443 (140.98.193.112/443) to DMZ:192.168.70.3/1364 (192.168.71.2/1364)

Aug 13 2013 20:18:41: %ASA-6-302014: Teardown TCP connection 17719 for outside:208.92.236.82/80 to DMZ:192.168.70.3/1362 duration 0:00:00 bytes 1421 TCP FINs

Aug 13 2013 20:18:41: %ASA-6-305012: Teardown dynamic TCP translation from DMZ:192.168.70.3/1362 to outside:192.168.71.2/1362 duration 0:00:00

Aug 13 2013 20:18:41: %ASA-6-305011: Built dynamic TCP translation from DMZ:192.168.70.3/1365 to outside:192.168.71.2/1365

Aug 13 2013 20:18:41: %ASA-6-302013: Built outbound TCP connection 17722 for outside:140.98.193.112/443 (140.98.193.112/443) to DMZ:192.168.70.3/1365 (192.168.71.2/1365)

Aug 13 2013 20:18:47: %ASA-6-302014: Teardown TCP connection 17722 for outside:140.98.193.112/443 to DMZ:192.168.70.3/1365 duration 0:00:05 bytes 415 TCP FINs

Aug 13 2013 20:18:47: %ASA-6-305012: Teardown dynamic TCP translation from DMZ:192.168.70.3/1365 to outside:192.168.71.2/1365 duration 0:00:05

Aug 13 2013 20:18:47: %ASA-6-302014: Teardown TCP connection 17720 for outside:140.98.193.169/80 to DMZ:192.168.70.3/1363 duration 0:00:05 bytes 0 TCP FINs

Aug 13 2013 20:18:47: %ASA-6-305012: Teardown dynamic TCP translation from DMZ:192.168.70.3/1363 to outside:192.168.71.2/1363 duration 0:00:05

Where 192.168.70.3 is my pc ip.

Seems to confirm here that above logs tell the issue with specfic url of the website?

Regards

MAhesh

Unable to access website

Julio Carvajal — Wed, 14 Aug 2013 03:29:48 GMT

Hello Mahesh,

It shows that the session was gracefully shutdown or closed via TCP FIN packets.

If you do a capture asp you should not see any packet..

Teardown TCP connection 17719 for outside:208.92.236.82/80 to DMZ:192.168.70.3/1362 duration 0:00:00 bytes 1421 TCP FINs

Looks like the FIN packets are being innitiated from the Server side (Way to confirm it is via Packet-Captures my friend)

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Unable to access website

mahesh18 — Wed, 14 Aug 2013 04:35:02 GMT

Hi Julio,

I will do the packet capture and keep you posted.

Regards

MAhesh

Unable to access website

Julio Carvajal — Wed, 14 Aug 2013 04:36:33 GMT

Hello Mahesh,

Be my guest,

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Unable to access website

mahesh18 — Thu, 15 Aug 2013 02:12:50 GMT

Hi Julio,

I have attached the packet capture under the first.

LEt me know which things to look for?

PC IP 192.168.70.2

Natted IP 192.168.71.82

Regards

Mahesh

Unable to access website

Julio Carvajal — Thu, 15 Aug 2013 03:55:12 GMT

Hello Mahesh,

I refered to the captures on pcap format

But here is the interesting fact based on that capture: On packet 135 we can see the server gracefully closing the connection with a FIN packet.

140.98.193.112.80 > 192.168.71.82.2434: F

That happen after a lot of packets exchanged between those 2 hosts

Can you do

cap asp type asp-drop all circular-buffer

Then attempt to connect and finally provide us the following output

show cap asp | include 140.98.193.112

This will let us know if the ASA is dropping any packets but I honestly do no think so

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Unable to access website

mahesh18 — Thu, 15 Aug 2013 04:40:54 GMT

Hi Julio,

I try that command output is blank

ciscoasa# show cap asp | include 140.98.193.112

What does above command do ?

Regards

MAhesh

Unable to access website

Julio Carvajal — Thu, 15 Aug 2013 05:22:13 GMT

Hello,

Any capture that is type asp-drop will basically show the packets being dropped by the ASA.

In this case we can see that the ASA is not the one dropping the traffic so there is some reason out of the scope of the ASA (On the server side) that is causing the server to close gracefully the connection with a FIN packet.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Unable to access website

mahesh18 — Fri, 16 Aug 2013 00:41:20 GMT

Thanks Julio for help.

Best Regards