topic ASA drops HTTP packets in Network Security

ASA drops HTTP packets

cisco — Tue, 12 Mar 2019 01:14:21 GMT

Hi All,

maybe I am overlooking a simple step, but here's the following:

My config:

Windows 7 host

MS Loopback Adapter with ICS

GNS3

ASA 8.42 with ASDM 6.4

Vmware Workstation 7 with Windows XP SP3 vm

All are working like a charm, from my virtual XP machine I can ping every site, e.g. www.google.com which replies nice with it's ip-address.

However, I cannot reach ANY website

When I connect through a Cisco 3700 router the webbrowser works perfect, so it must be something in the ASA configuration (I presume )

I've tried about all possible Access Rules, but still nothing.

Please help

Regards,

Jan

p.s. see attached result from Packet tracer. (source is my virtual xp machine, destination is google.com's ip-address)

ASA drops HTTP packets

julomban — Thu, 14 Mar 2013 20:16:53 GMT

Hello Jan,

Could you please share the "show run" output from your ASA?

Regards,

Juan Lombana

ASA drops HTTP packets

Andrew Phirsov — Thu, 14 Mar 2013 20:21:36 GMT

On your screenshot i see the outside interface as a source. So you're trying to trace from outside to outside. What for? Or, if you're doing it on purpose (i don't know how and why) you have to add same security traffic permit intra-interface.

ASA drops HTTP packets

cisco — Thu, 14 Mar 2013 20:26:38 GMT

Sure

It is still very basic btw:

ASA Version 8.4(2) 
!
hostname ciscoasa
enable password ******************** encrypted
passwd ***************** encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 192.168.137.2 255.255.255.0 
!
interface GigabitEthernet1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 nameif inside
 security-level 100
 ip address 10.10.0.254 255.255.255.0 
!
boot config disk0:/startup-config
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.2.254
object network host
 host 192.168.2.3
object network loopback
 host 192.168.137.1
object network gateway
 host 192.168.2.254
object network lan
 subnet 192.168.2.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit ip any any 
access-list outside_access_in extended permit tcp any any eq www 
access-list web standard permit any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.137.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.137.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ************ encrypted privilege 15
!
!
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum: ******************
: end
asdm image disk0:/asdm-641.bin
no asdm history enable

Thanks in advance for looking at my issue.

Re: ASA drops HTTP packets

cisco — Thu, 14 Mar 2013 20:33:07 GMT

no, not on purpose, but my source is coming in from the inside interface (10.10.0.100, which is my virtual XP)?

I'm kinda noob on routing/firewalling as you have might expected

when I do a trace from Inside to Outside all traffic seems to be forwarded, but from within my IE in XP no response.

ASA drops HTTP packets

julomban — Thu, 14 Mar 2013 20:38:01 GMT

Jan,

Please include the global inspection which includes DNS, you can try the following command:

clear config fixup

NOTE: you can use the "Command line interface" option under tools on the ASDM.

Make sure your DNS settings are fine, for testing purpose you can use 4.2.2.2 as the primary DNS server.

Regards,

Juan Lombana

Re: ASA drops HTTP packets

cisco — Thu, 14 Mar 2013 21:27:46 GMT

Juan,

the command you supplied gave no response. Changing my DNS in my Windows XP client gave the same result as my normal server.

I can ping all, but no response in my browser.

ASA drops HTTP packets

julomban — Thu, 14 Mar 2013 21:34:02 GMT

Jan,

The fact that you can ping it means that you have Internet access, the problem is related to port HTTP or DNS.

What is the default gateway on your Wondows XP?

Regards,

Juan Lombana

ASA drops HTTP packets

jocamare — Thu, 14 Mar 2013 23:17:39 GMT

The problem might not be related to DNS since you can ping google using its name not the IP address.

Make sure to have the inspection for HTTP traffic on the ASA. Also try to telnet to google on port 80 and see what happens.

Have logs from the firewall?

Re: ASA drops HTTP packets

Julio Carvajal — Fri, 15 Mar 2013 04:13:09 GMT

Hello Jan,

Hope you are doing fine man..

So basically you are using GNS3 to test this .. GNS rocks man ( I have to agree on that ) but something things just done work as they should ( I was doing a lab today and everything was set as it should, interfaces up, Right IP address/Subnet masks,etc.. and after doing some troubleshooting they could not even ping each other and they were directly connected, so I reload the devices and started to work... So be careful here as this is a virtual enviroment.

I would recommend you :

1) Save the configuration to memory ( If you do not how to do it on GNS3) Then copy and past it into a notepad and then put it back when the device boots again

2) Try one more time.

As you said this is a basic connectivity problems and I can ensure you that the configuration is good,

No need to have HTTP inspection on as the ASA is TCP stateful by default.. You should use HTTP inspection when you want to add a layer 7 deep packet inspection or at least check on the logs of the ASA what urls are being used by your internal users . Cool...

Last but not least if this does not work as it should...

Then it's time for captures

capture capin interface inside match tcp host x.x.x.x( Host source IP) host y.y.y.y (Web-server Ip address) eq 80

capture capout interface outside match tcp host z.z.z.z( Outside Nat IP) host y.y.y.y ( Webserver IP address) eq 80

Then try to connect once and share

Show cap capin

Show cap capout

Remember to rate all of the helpful posts

Julio carvajal segura

Re: ASA drops HTTP packets

cisco — Fri, 15 Mar 2013 08:29:30 GMT

Hi Juan,

my default gateway is 10.10.0.254, but that's the good one, I would not be able to ping any site through its name.

My host Windows 7 has 192.168.2.3, my real router has 192.168.2.254, loopback has 192.168.137.1 (because of ICS).

I can ping all of them.

Regards,

Jan

Re: ASA drops HTTP packets

cisco — Fri, 15 Mar 2013 08:44:15 GMT

Hello Julio,

I'm great thanks and you?

Here's the output from the capin:

ciscoasa# show cap capin

11 packets captured

1: 09:37:56.395884 10.10.0.100.1353 > 74.125.132.94.80: S 416575389:416575389(0) win 65535

2: 09:37:56.422204 10.10.0.100.1353 > 74.125.132.94.80: R 1211360216:1211360216(0) win 0

3: 09:37:56.898055 10.10.0.100.1353 > 74.125.132.94.80: R 1211360216:1211360216(0) win 0

4: 09:37:57.423363 10.10.0.100.1353 > 74.125.132.94.80: R 1211360216:1211360216(0) win 0

5: 09:37:58.649426 10.10.0.100.1353 > 74.125.132.94.80: R 1211360216:1211360216(0) win 0

6: 09:37:59.491292 10.10.0.100.1353 > 74.125.132.94.80: S 416575389:416575389(0) win 65535

7: 09:37:59.503727 10.10.0.100.1353 > 74.125.132.94.80: R 1211360216:1211360216(0) win 0

8: 09:38:01.156623 10.10.0.100.1353 > 74.125.132.94.80: R 1211360216:1211360216(0) win 0

9: 09:38:05.386332 10.10.0.100.1353 > 74.125.132.94.80: S 416575389:416575389(0) win 65535

10: 09:38:05.398966 10.10.0.100.1353 > 74.125.132.94.80: R 1211360216:1211360216(0) win 0

11: 09:38:05.843996 10.10.0.100.1353 > 74.125.132.94.80: R 1211360216:1211360216(0) win 0

11 packets shown

Which is my Outise NAT? Seen from the ASA, so 192.168.137.2?

Or my real router? 192.168.2.254

Regards,

Jan

Re: ASA drops HTTP packets

cisco — Fri, 15 Mar 2013 08:56:11 GMT

Hi jocamare,

Telnet www.google.nl (or 74.125.132.94) gives nothing. Even from my real host ?!

btw I tried this with Firewalls disabled on my real host and XP vm.

Jan

Re: ASA drops HTTP packets

Julio Carvajal — Fri, 15 Mar 2013 19:11:53 GMT

Hello Jan,

As you are not running NAT it would be the same IP address 10.10.0.100,

So create the 2 captures using the same syntax, just a different interface

Regards,

Julio Carvajal