topic Re: To check if url is allowed by ASA in Network Security

To check if url is allowed by ASA

mahesh18 — Tue, 12 Mar 2019 00:57:34 GMT

Hi everyone,

I am trying to download drivers from HP website for a printer.

Traffic goes via ASA to the Internet.

I need to rule out if ASA is blocking or not.

Here is what i did

http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=3644759&prodTypeId=18972&prodSeriesId=3644758&swLang=8&taskId=135&swEnvOID=4063#78266

http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDownloadEventHandler.jsp?redirectReason=SWD_FTP_Request&swItem=ds-99376-4&prodSeriesId=3644758&prodLine=6A&targetPage=ftp%3A%2F%2Fftp.hp.com%2Fpub%2Fsoftlib%2Fsoftware12%2FCOL40842%2Fds-99376-4/upd-ps-x64-5.6.0.14430.exe&filesize=18802560

On first url when you click on download then 2^nd url shows internet explorer can not display the page.

IS ASA blocking something?

thanks

mahesh

Re: To check if url is allowed by ASA

Jouni Forss — Thu, 07 Feb 2013 18:55:54 GMT

Hi,

The second link atleast works for me and starts a file download.

I would open ASDM and go to the Monitor/Logging section and open the log window. I would then enter the LAN host IP address you are using to access the site to the section that applies the filter for the logging.

Then I would click the link to download the file and watch the ASA logs what happens to the connections from your host.

It tries to download the file with FTP. Have you allowed FTP connections from the host to the Internet?

- Jouni

To check if url is allowed by ASA

mahesh18 — Thu, 07 Feb 2013 20:31:41 GMT

Hi,

I put lan host IP on filter by then i see nothing in fw logs

its blank empty page.

thanks

MAhesh

To check if url is allowed by ASA

Jouni Forss — Thu, 07 Feb 2013 20:39:27 GMT

Hi,

You should see the connection logs IF

If the connection is coming all the way to the ASA
If there is nothing blocking the traffic in between the user and the ASA
You have set the ASDM logging level to atleast "informational"
- logging asdm informational
You have not disabled some logging messages
- You should get a list of the disabled log messages with the "show run logging" command on the CLI of the AS

I guess the most certain way to see whats going through the ASA would be to configure a capture on the ASA but this might be a bit more time consuming.

I have witnessed the ASDM side logging sometimes showing the connection logs very very late compared to the time when you actually test some connection.

Also naturally if you want to make sure that the ASA is not blocking any connection for the host you can temporarily insert a rule on the interface ACL behind which the host is. Inserting a rule one the "line 1" which permits all traffic from that host would make sure that nothing gets blocked.

But all in all, you should really see something in the logs if the connection is coming through the ASA

- Jouni

To check if url is allowed by ASA

mahesh18 — Thu, 07 Feb 2013 22:30:36 GMT

Hi Jouni,

I was able to find out by packet tracer that FTP is not allowed.

My PC IP is say 172.31.x.x

I ran the packet tracer choosing my source IP as PC IP and source interface as say Network

Packet tracer showed me in animation

Network ACL lookup flwo lookup route lookup ACL lookup is all right but on outside it shows red x.

Under phase

Access list and Result had X mark.

under ACL config

it showed

access-group Network_01 in interface Network

access-list Network_01 extended deny tcp 172.16.0.0 x.x.x.x any eq ftp log

so does this ACL means that drop FTP traffic as it enters the Inside interface of ASA?

Second this to know is that MY PC IP 172.31 and ASA ACL that shows deny IP subnet 172.16 they both are in different subnets and still ACL is blocking the FTP?

Can you please explain me how this ACL is working?

Thanks

mahesh

To check if url is allowed by ASA

Jouni Forss — Thu, 07 Feb 2013 22:44:29 GMT

It would seem that the ACL is possibly blocking the FTP traffic

You say the networks are different but you didnt include the network mask thats in the ACL. What is the network mask x.x.x.x?

Notice that if the mask is /12 or 255.240.0.0

Then it would mean the whole private IP address range of 172.16.0.0 - 172.31.255.255

Therefore it would actually block the connections even from host 172.31.x.x as you can see

If you enter the configuration

access-list Network_01 line 1 permit tcp host 172.31.x.x any eq ftp

Then it will enter the rule to the top of the ACL. Therefore it will be the first rule matched when traffic enters that firewall interface. And it will therefore allow the FTP connection.

You could try adding that line and testing the connection again.

- Jouni

Re: To check if url is allowed by ASA

mahesh18 — Thu, 07 Feb 2013 22:59:09 GMT

Hi Jouni,

Mask is 255.240.0.0 .You are right so it will block whole subnet from 172.16 to 172.31.0.0.

you are very good in firewalls.

Unfortunately i can not config any changes on ASA to test the ACL.

Many thanks for helping me out .

Best regards

Mahesh