https://community.cisco.com/t5/network-security/problem-with-certain-websites-redirecting-traffic-and-coming/m-p/1700204#M558097 <HTML><HEAD></HEAD><BODY><P>What is the error message number? Is it <SPAN class="pEM_ErrMsg">%ASA-6-106015? If so </SPAN><SPAN class="content"></SPAN>this guide may offer some help:</P><P><A href="https://community.cisco.com/docs/DOC-14491">https://supportforums.cisco.com/docs/DOC-14491</A></P><P></P><P>Potentially you could enable TCP bypass, however this&nbsp; will also disable all TCP-based security checks and application inspection.</P></BODY></HTML> Mon, 11 Apr 2011 12:50:28 GMT sean_evershed 2011-04-11T12:50:28Z https://community.cisco.com/t5/network-security/problem-with-certain-websites-redirecting-traffic-and-coming/m-p/1700203#M558088 <P>Let me quickly explain our setup, we are running a cisco ASA 5510.&nbsp; We have 2 linux proxy servers in the DMZ. Both Proxy servers have static NAT on the firewall.</P><P></P><P>50% of websites we go to through the firewall have no problems. The other 50% times out, we have found that this happens mostly to websites that are web 2.0 (like facebook) and redirect their traffic to other websites. We then decided to test using wget on the linux boxes. This bypasses the proxy component and is a simple download tool for linux. The same thing applies where direct connections to files work fine but redirection breaks.</P><P></P><P><SPAN>WSG01-EXT is the proxy server. WSG01-PUBLIC-BROWSING is the outside NAT. Here I am trying to download a file.&nbsp; </SPAN><A class="jive-link-external-small" href="http://download.winzip.com/winzip150.exe" target="_blank">http://download.winzip.com/winzip150.exe</A><SPAN> . The ip address I am connecting to and the ip address that responds is not the same one and it makes sense that the firewall blocks it as it sent no syn to that address, but how do i get around this?</SPAN></P><P></P><P>Here are some relavant firewall logs.</P><P></P><P>WSG01-EXT&nbsp;&nbsp;&nbsp; 39701&nbsp;&nbsp;&nbsp; 92.123.154.73&nbsp;&nbsp;&nbsp; 80&nbsp;&nbsp;&nbsp; Built outbound TCP connection 201329 for outside:92.123.154.73/80 (92.123.154.73/80) to DMZ-VLAN-15:WSG01-EXT/39701 (WSG01-PUBLIC-BROWSING/39701)</P><P></P><P>165.165.47.11&nbsp;&nbsp;&nbsp; 80&nbsp;&nbsp;&nbsp; WSG01-PUBLIC-BROWSING&nbsp;&nbsp;&nbsp; 30737&nbsp;&nbsp;&nbsp; Deny TCP (no connection) from 165.165.47.11/80 to WSG01-PUBLIC-BROWSING/30737 flags SYN ACK&nbsp; on interface outside</P><P></P><P>Thanks in advance for all the replies and let me know if you need more information. I really hope this is just some kind of checkbox somewhere that I am missing.</P><P></P><P>S</P> Mon, 11 Mar 2019 20:19:34 GMT https://community.cisco.com/t5/network-security/problem-with-certain-websites-redirecting-traffic-and-coming/m-p/1700203#M558088 ssteenkamp 2019-03-11T20:19:34Z https://community.cisco.com/t5/network-security/problem-with-certain-websites-redirecting-traffic-and-coming/m-p/1700204#M558097 <HTML><HEAD></HEAD><BODY><P>What is the error message number? Is it <SPAN class="pEM_ErrMsg">%ASA-6-106015? If so </SPAN><SPAN class="content"></SPAN>this guide may offer some help:</P><P><A href="https://community.cisco.com/docs/DOC-14491">https://supportforums.cisco.com/docs/DOC-14491</A></P><P></P><P>Potentially you could enable TCP bypass, however this&nbsp; will also disable all TCP-based security checks and application inspection.</P></BODY></HTML> Mon, 11 Apr 2011 12:50:28 GMT https://community.cisco.com/t5/network-security/problem-with-certain-websites-redirecting-traffic-and-coming/m-p/1700204#M558097 sean_evershed 2011-04-11T12:50:28Z