topic Re: Can't connect to Webserver using Port 3001 (Teardown TCP...R in Network Security

Can't connect to Webserver using Port 3001 (Teardown TCP...Reset-I Duriation 00:00)

deezturner1 — Mon, 11 Mar 2019 20:10:27 GMT

Ok so I have a weird issues. We us a county facility as our ISP so to speak. Basically our WAN Router is connected over OPT-MAN to this facility. We have ACL's opened on the ASA to allow all traffic inbound/outbound to this facility. Everything works great accept they have rolled out a new application that is web-based. There are several modules to this application. All work except the model that communicates over port 3001. The IP address that our site needs to get to over port 3001 is 10.94.1.109. I can telnet to that port however if the site is access via the https web address (it then launches a terminal session that runs a script to connet to telnet//10.94.1.109:3001 I get a popup window saying "Could Not Connect to Host". I can ping, tracert and resolve successfully via DNS to this address. What am I missing? I've attached the sanitized ASA Config:

(Critical Side Note: I was able to successfully bypass my ASA and directly connect to the site via public IP with no error so it really seems as if the config of the ASA is no resetting the connection)

ASA Version 8.0(2)

hostname ACME-Perimeter

domain-name acme.acre.ca.us

names

name 10.94.1.109 InterWeb description Web network OPP

dns-guard

interface GigabitEthernet0/0

speed 1000

duplex full

nameif Outside

security-level 0

ip address X.X.X.X.25 255.255.255.0

ospf cost 10

interface GigabitEthernet0/1

speed 1000

duplex full

nameif Inside

security-level 100

ip address 192.168.100.139 255.255.255.0

ospf cost 10

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 172.16.1.1 255.255.255.0

ospf cost 10

management-only

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

dns domain-lookup Outside

dns domain-lookup Inside

dns server-group DefaultDNS

name-server 192.168.100.6

name-server 192.168.100.3

domain-name acme.acre.ca.us

same-security-traffic permit intra-interface

object-group network ACME

network-object 192.168.31.0 255.255.255.0

network-object 192.168.32.0 255.255.255.0

network-object 192.168.35.0 255.255.255.0

network-object 192.168.36.0 255.255.255.0

network-object 192.168.37.0 255.255.255.0

network-object 192.168.38.0 255.255.255.0

network-object 192.168.40.0 255.255.255.0

network-object 192.168.41.0 255.255.255.0

network-object 192.168.42.0 255.255.255.0

network-object 10.16.0.0 255.255.0.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list Inside_nat_outbound extended permit ip object-group ACME any

access-list Outside_access_in extended permit icmp any any

access-list Outside_access_in extended permit tcp any host X.X.X.X.21 eq smtp

access-list Outside_access_in extended permit tcp any host X.X.X.X.21 eq www

access-list Outside_access_in extended permit tcp any host X.X.X.X.26 eq https

access-list Outside_access_in extended permit tcp any host X.X.X.X.26 eq www

access-list Outside_access_in extended permit tcp any host X.X.X.X.26 object-group Subfinder

access-list Outside_access_in extended permit ip host 10.94.1.10 any

access-list Outside_access_in extended permit udp host 10.94.1.10 any eq snmptrap

access-list Outside_access_in extended permit tcp any host X.X.X.X.200 object-group RDP

access-list Outside_access_in extended permit tcp any host X.X.X.X.23 eq https

access-list Outside_access_in extended permit tcp any host X.X.X.X.21 eq https

access-list Outside_access_in extended permit tcp any any object-group Barracuda

access-list Outside_access_in extended permit tcp any host X.X.X.X.131 eq https

access-list Outside_access_in remark For Lenette

access-list Outside_access_in extended permit tcp any host X.X.X.X.201 object-group RDP

access-list Outside_access_in extended permit tcp host InterWeb any eq 3001

access-list Outside_access_in extended permit ip host InterWeb any

access-list INTERNET extended permit tcp host 192.168.100.201 any eq www

access-list INTERNET extended permit tcp host 192.168.100.201 any eq https

access-list INTERNET extended permit tcp host 192.168.100.202 any eq https

access-list INTERNET extended permit tcp host 192.168.100.202 any eq www

access-list INTERNET extended permit tcp host 192.168.100.211 any eq https

access-list INTERNET extended permit tcp host 192.168.100.211 any eq www

access-list ACSTACACS extended permit tcp any any eq www

access-list ACSTACACS extended permit tcp any any eq https

access-list Inside_access_in extended permit ip any any

access-list cap extended permit tcp any host X.X.X.X.21 eq smtp

access-list cap extended permit tcp any host X.X.X.X.21 eq www

access-list global_mpc extended permit ip 10.94.0.0 255.255.0.0 any

access-list global_mpc extended permit ip any 10.94.0.0 255.255.0.0

access-list Inside_nat0_outbound extended permit ip 10.16.0.0 255.255.0.0 192.168.200.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.200.0 255.255.255.0

access-list acme_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0

access-list acme_splitTunnelAcl standard permit 10.16.0.0 255.255.0.0

access-list inside_out extended deny tcp any host 94.100.25.138 eq 4723

access-list inside_out extended permit ip any any

tcp-map OPP-map

no ttl-evasion-protection

urgent-flag allow

pager lines 24

logging enable

logging monitor debugging

logging history emergencies

logging asdm informational

logging mail emergencies

logging from-address asa@acme.acre.ca.us

logging recipient-address Helen@acme.acre.ca.us level errors

logging host Inside 192.168.100.79

mtu Outside 1500

mtu Inside 1500

mtu management 1500

ip local pool VPN_Users 192.168.200.1-192.168.200.15 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

global (Outside) 2 X.X.X.X.21

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 2 10.16.2.135 255.255.255.255

nat (Inside) 2 192.168.100.20 255.255.255.255

nat (Inside) 1 0.0.0.0 0.0.0.0

static (Inside,Outside) tcp X.X.X.X.21 www 10.16.2.135 www netmask 255.255.255.255

static (Inside,Outside) tcp X.X.X.X.21 smtp 192.168.100.20 smtp netmask 255.255.255.255

static (Inside,Outside) tcp X.X.X.X.21 https 10.16.2.135 https netmask 255.255.255.255

static (Inside,Outside) X.X.X.X.26 192.168.100.4 netmask 255.255.255.255

static (Inside,Outside) 192.168.100.1 192.168.100.1 netmask 255.255.255.255

static (Inside,Outside) 192.168.31.1 192.168.31.1 netmask 255.255.255.255

static (Inside,Outside) 192.168.32.1 192.168.32.1 netmask 255.255.255.255

static (Inside,Outside) 192.168.35.1 192.168.35.1 netmask 255.255.255.255

static (Inside,Outside) 192.168.36.1 192.168.36.1 netmask 255.255.255.255

static (Inside,Outside) 192.168.37.1 192.168.37.1 netmask 255.255.255.255

static (Inside,Outside) 192.168.38.1 192.168.38.1 netmask 255.255.255.255

static (Inside,Outside) 192.168.40.1 192.168.40.1 netmask 255.255.255.255

static (Inside,Outside) 192.168.41.1 192.168.41.1 netmask 255.255.255.255

static (Inside,Outside) 192.168.42.1 192.168.42.1 netmask 255.255.255.255

static (Inside,Outside) X.X.X.X.23 192.168.100.136 netmask 255.255.255.255

static (Inside,Outside) X.X.X.X.200 192.168.100.130 netmask 255.255.255.255

static (Inside,Outside) X.X.X.X.50 192.168.100.114 netmask 255.255.255.255

static (Inside,Outside) X.X.X.X.51 192.168.100.116 netmask 255.255.255.255

static (Inside,Outside) X.X.X.X.54 192.168.100.98 netmask 255.255.255.255

static (Inside,Outside) X.X.X.X.56 192.168.100.96 netmask 255.255.255.255

static (Inside,Outside) X.X.X.X.58 192.168.100.110 netmask 255.255.255.255

static (Inside,Outside) X.X.X.X.57 192.168.100.117 netmask 255.255.255.255

static (Inside,Outside) X.X.X.X.131 192.168.100.131 netmask 255.255.255.255

static (Inside,Outside) 10.16.100.6 10.16.100.6 netmask 255.255.255.255

static (Inside,Outside) 10.16.161.1 10.16.161.1 netmask 255.255.255.255

static (Inside,Outside) 10.16.141.1 10.16.141.1 netmask 255.255.255.255

static (Inside,Outside) 10.161.121.1 10.16.121.1 netmask 255.255.255.255

static (Inside,Outside) 10.16.111.1 10.16.111.1 netmask 255.255.255.255

static (Inside,Outside) 10.16.131.1 10.16.131.1 netmask 255.255.255.255

static (Inside,Outside) 10.16.151.1 10.16.151.1 netmask 255.255.255.255

static (Inside,Outside) 10.16.100.26 10.16.100.26 netmask 255.255.255.255

static (Inside,Outside) X.X.X.X.201 192.168.100.123 netmask 255.255.255.255

access-group Outside_access_in in interface Outside

access-group inside_out in interface Inside

route Outside 0.0.0.0 0.0.0.0 X.X.X.X.1 1

route Inside 10.16.0.0 255.255.0.0 192.168.100.1 1

route Inside 192.168.31.0 255.255.255.0 192.168.100.1 1

route Inside 192.168.32.0 255.255.255.0 192.168.100.1 1

route Inside 192.168.35.0 255.255.255.0 192.168.100.1 1

route Inside 192.168.36.0 255.255.255.0 192.168.100.1 1

route Inside 192.168.37.0 255.255.255.0 192.168.100.1 1

route Inside 192.168.38.0 255.255.255.0 192.168.100.1 1

route Inside 192.168.40.0 255.255.255.0 192.168.100.1 1

route Inside 192.168.41.0 255.255.255.0 192.168.100.1 1

route Inside 192.168.42.0 255.255.255.0 192.168.100.1 1

route Inside 192.168.200.0 255.255.255.0 192.168.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 3:00:00 absolute uauth 0:30:00 inactivity

dynamic-access-policy-record DfltAccessPolicy

aaa-server ACS protocol radius

aaa-server ACS host 192.168.100.138

key acme12345

radius-common-pw acme12345

aaa-server ACSTACACS protocol tacacs+

aaa-server ACSTACACS host 192.168.100.138

key cisco

aaa-server RADIUS protocol radius

reactivation-mode depletion deadtime 15

aaa-server RADIUS host 192.168.100.6

timeout 15

key 3tech2

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Outside

http 192.168.1.0 255.255.255.0 management

http 10.10.10.0 255.255.255.0 Inside

http 192.168.100.0 255.255.255.0 Inside

http 10.16.0.0 255.255.0.0 Inside

http 192.168.200.0 255.255.255.0 Inside

snmp-server host Outside 10.94.1.10 community acmenet udp-port 161

snmp-server location Acmenet

snmp-server contact Helen B

snmp-server community acmenet

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

telnet 0.0.0.0 0.0.0.0 Inside

telnet 192.168.100.130 255.255.255.255 Inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 Outside

ssh 0.0.0.0 0.0.0.0 Inside

ssh timeout 5

console timeout 0

vpn load-balancing

interface lbpublic Inside

interface lbprivate Inside

threat-detection basic-threat

threat-detection statistics

class-map OPP-class

match access-list global_mpc

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 1500

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

class OPP-class

set connection random-sequence-number disable

set connection advanced-options OPP-map

service-policy global_policy global

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec webvpn

group-policy ODPD internal

group-policy ODPD attributes

vpn-tunnel-protocol IPSec

group-policy RSCIntegra internal

group-policy RSCIntegra attributes

dns-server value 192.168.100.6 192.168.100.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value acme_splitTunnelAcl

default-domain value acme.int

nac-settings none

address-pools value VPN_Users

group-policy Follett internal

group-policy Follett attributes

dns-server value 192.168.100.6 192.168.100.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value acme_splitTunnelAcl

default-domain value acme.int

nac-settings none

address-pools value VPN_Users

group-policy BayShore internal

group-policy BayShore attributes

dns-server value 192.168.100.6 192.168.100.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value acme_splitTunnelAcl

default-domain value acme.int

nac-settings none

address-pools value VPN_Users

group-policy SWN internal

group-policy SWN attributes

dns-server value 192.168.100.6 192.168.100.3

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value acme_splitTunnelAcl

default-domain value acme.int

nac-settings none

address-pools value VPN_Users

username dturner password OmVlu6frR/NxYsZs encrypted privilege 15

username dturner attributes

vpn-group-policy SWN

username niccisco password OB3G7r0gvwdHBR/. encrypted privilege 0

username niccisco attributes

vpn-group-policy ODPD

username acme password soM1flywE1.uIwqu encrypted privilege 15

username cisco password ffIRPGpDSOJh9YLq encrypted

username vlsadmin password /foy9lnUCfk/SlEL encrypted privilege 15

tunnel-group ODPD type remote-access

tunnel-group ODPD general-attributes

address-pool VPN_Users

default-group-policy ODPD

tunnel-group ODPD ipsec-attributes

pre-shared-key *

tunnel-group SWN type remote-access

tunnel-group SWN general-attributes

address-pool VPN_Users

default-group-policy SWN

tunnel-group SWN ipsec-attributes

pre-shared-key *

tunnel-group Jiollett type remote-access

tunnel-group Jiollettgeneral-attributes

address-pool VPN_Users

authentication-server-group RADIUS

default-group-policy Jiollett

authorization-required

tunnel-group Jiollett ipsec-attributes

pre-shared-key *

tunnel-group RSCIntegra type remote-access

tunnel-group RSCIntegra general-attributes

address-pool VPN_Users

authentication-server-group RADIUS

default-group-policy RSCIntegra

authorization-required

tunnel-group RSCIntegra ipsec-attributes

pre-shared-key *

tunnel-group BayShore type remote-access

tunnel-group BayShore general-attributes

address-pool VPN_Users

authentication-server-group RADIUS

default-group-policy BayShore

tunnel-group BayShore ipsec-attributes

pre-shared-key *

smtp-server 192.168.100.136

prompt hostname context

Cryptochecksum:829eb36496b5282683442e96bbb61360

: end

Re: Can't connect to Webserver using Port 3001 (Teardown TCP...R

Jennifer Halim — Tue, 22 Mar 2011 07:07:48 GMT

I can't see any static translation is configured for 10.94.1.109 nor any static route to point towards the 10.94.1.0 network.

Further to that, the following access-list is also incorrect:

access-list Outside_access_in extended permit tcp host InterWeb any eq 3001

access-list Outside_access_in extended permit ip host InterWeb any

If the connection is from the Internet (outside) towards inside, then it should be configured as follows:

access-list Outside_access_in extended permit tcp any host

Re: Can't connect to Webserver using Port 3001 (Teardown TCP...R

deezturner1 — Tue, 22 Mar 2011 07:56:57 GMT

Jennifer,

Thank you for your response. I agree with you on the acl statements and neglected to remove those after testing. I've removed the acl in question however I want to reiterate we are getting to all resouces on the 10.94.x.x networks just fine with the exception of that one webserver and port. Wouldn't I see "deny" in the syslog rather than "reset-i" if I was trully not able to get to that resource. Also, from a host behind our ASA I can run telnet 10.94.1.109 3001 and connect fine. Please make specific suggestions related to my config if you think otherwise.

Thanks again!

Dee

Re: Can't connect to Webserver using Port 3001 (Teardown TCP...R

Jennifer Halim — Tue, 22 Mar 2011 08:32:28 GMT

I totally can not see a reason how you can get connected to 10.94.1.109 from the Internet as I don't see that configuration at all

in your ASA unless the ip address is something else?

When you tested it from the inside, of course it will work because you do not need to configure any NATing.

When you tested it from the outside/internet, you will need to NAT it to a public IP address and open the necessary port before access works.

Please point me to the exact configuration on the ASA that says all the other ports works just fine from the outside for 10.94.x.x network because i fail to see how it is even possible. Unless you have another ASA that is supposed to be passing this traffic.

Re: Can't connect to Webserver using Port 3001 (Teardown TCP...R

deezturner1 — Tue, 22 Mar 2011 14:37:00 GMT

We are directly connected over "WAN" (router to router) to the facility over OPTMAN. All network resources are reachable end to end using private IPs. Ours - 10.16.x.x, there's 10.94.x.x. So just to reiterate if we launch the application i.e. http://webapplication.acme (resolves to 10.94.1.109) we are able to access this no problem. It is when a module (sub-application) is clicked that uses port 3001 that generates the connection or Reset-I issue. What could be causing this is my question. In my experience if I was not able to access the resource I would see a "Deny" in the Syslog. The fact that I'm able to connect to the FQDN/IP web application and telnet to that port seems like opposite evidence of a NAT issue, wouldn't you agree?

Dee

Re: Can't connect to Webserver using Port 3001 (Teardown TCP...R

Jennifer Halim — Wed, 23 Mar 2011 03:25:38 GMT

Sorry, without actually understanding your topology, it is difficult to say where the problem is, and there are a number of contradicting statement provided.

You will know your topology by hard, however, you mention OPTMAN, etc that we have no knowledge about.

So if you can please advise the following that would help us to better understand your network and how the connection works:

1) What is the source and destination IP Address

2) You mention access to public IP, but so far only 10.94.x.x is mentioned, so what is the actual public IP, and are you actually connecting to it via its public or private IP?

3) Which ASA interface is connected to the source, and which ASA interface is connected to the destination?

4) Which ASA interface is connected to WAN, and which ASA interface is connected to OPTMAN?

Once we have the above information, it should be clearer on how the connection actually goes.

Despite that, if you already have connectivity between the 2 source and destination IP, I wouldn't think it has anything to do with NAT unless for access to port 3001, it is actually restricted to listen only on a specific IP.