topic Re: Strange behaviour on network due to improperly configured AS in Network Security

Strange behaviour on network due to improperly configured ASA?

bluemookie — Mon, 11 Mar 2019 19:34:16 GMT

My company recently deployed a new mail server last month. Since then, every hour or so, one user will be unable to recieve mail. It's an Ubuntu 10.04 server running Zimbra mail, and all clients are configured for POP access. Most of the errors will say the the connection has been interrupted. From the workstation, I will try to ping the mail server at 192.168.1.26 and get no reply. If I go to the mail server and ping the workstation, after a couple seconds, there is data flow. If I check the workstation again, it is now able to ping the server, and now, able to receive mail.

We have another linux mail server in place (192.168.1.25) that works without any problems. We are getting rid of this old mail server in a couple months. My concern is that when I modified the firewall (Cisco ASA 5505, 8.2(2)), I might not have done everything correctly or may have missed a step. Is there anyone out there that can look at a show run log or give me some idea what to do? I'm not well versed at Cisco stuff. I administer this firewall using the ASDM software version 6.2(5). What would be my first step at troubleshooting this strange behaviour?

Re: Strange behaviour on network due to improperly configured AS

Marcin Latosiewicz — Wed, 12 Jan 2011 20:56:50 GMT

Kyle,

From your description it's clear to me that the behavior you describe is something stateful.

My first guess would be to check xlates.

Can you please confirm for me if there is static NAT entry for IP address of server between interface where server resides and the interface where client resides?

Marcin

Re: Strange behaviour on network due to improperly configured AS

bluemookie — Wed, 12 Jan 2011 21:02:55 GMT

Can you tell me specifically how to provide this information to you using the ASDM GUI? I can also use the "Command Line Interface" from the GUI to enter a command.

Re: Strange behaviour on network due to improperly configured AS

lcaruso — Thu, 13 Jan 2011 00:07:36 GMT

From your description, it kind of sounds like this problem workstation and the mail server are both on the inside network.If that is the case, the firewall has no role in these issues.Regardless of that detail, anytime one client workstation presents a problem while others are happy, focus on that one workstation.

Maybe it has an old network card and/or driver. Maybe the network cable is bad or loose at either end. Maybe the drop is bad. Maybe the OS isn't patched. Maybe it's full of spyware and malware and is degraded or compromised.

As a general troubleshooting technique, a centralized resource like a firewall is more likely to exhibit behavior that affects more than one client, since all clients traffic pass through it.

Hope that helps.

Re: Strange behaviour on network due to improperly configured AS

bluemookie — Thu, 13 Jan 2011 14:31:39 GMT

The problem is happening at random intervals throughout the day on random workstations. The only common link is the mail server or the gateway/firewall. I've done my due dilligence on troubleshooting the mail server and have found no problems with the softtware or hardware. Could it be that xlates that the other guy was talking about? Whatever xlates are....

Re: Strange behaviour on network due to improperly configured AS

bluemookie — Thu, 13 Jan 2011 14:53:18 GMT

To reply to Marcin, when I run my ASDM GUI, under configuration/firewall/access rules/IPv4 Network Objects, I do have 2 IP addresses set for the mail server. ADDON-INT points to 192.168.1.26 and ADDON-EXT points to the public IP address. What other info do you need?

Re: Strange behaviour on network due to improperly configured AS

bluemookie — Thu, 13 Jan 2011 14:54:03 GMT

Re: Strange behaviour on network due to improperly configured AS

Marcin Latosiewicz — Thu, 13 Jan 2011 16:29:15 GMT

Kyle,

Can you attach running config? feel free to mask any information you don't want public to see (IP addresses on WAN, hashes of password).

Marcin

Re: Strange behaviour on network due to improperly configured AS

bluemookie — Thu, 13 Jan 2011 17:08:36 GMT

Result of the command: "sh run"

: Saved

ASA Version 8.2(2)

hostname AIM-ASA-FW

domain-name aim-cc.com

enable password 2KFQnbNIdI.2KYOU encrypted

passwd mZkiFXWaEb.AkII6 encrypted

names

name 192.168.1.25 ACCMX-INT

name 192.168.1.44 ACCSUN-INT

name 192.168.1.28 ACCIRON-INT

name 192.168.1.43 HRMS-INT

name 69.130.7.116 ACCIRON-EXT

name 69.130.7.115 ACCMX-EXT

name 69.130.7.117 ACCSUN-EXT

name 69.130.7.118 FacileHR-EXT

name 69.130.7.119 HRMS-EXT

name 192.168.1.42 FacileHR-INT

name 69.130.7.120 NRIYP-EXT

name 192.168.1.27 NRIYP-INT

name 69.130.7.126 ADDON-EXT

name 192.168.1.26 ADDON-INT

name 192.168.1.21 Kyle

interface Vlan1

description LAN [INSIDE INTERFACE]

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

description T1 LINE [EXTERNAL INTERFACE]

nameif outside

security-level 0

ip address 69.130.7.114 255.255.255.240

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name aim-cc.com

object-group service aptela udp

description for Aptela Phones

port-object range 10000 20000

port-object range sip 5061

object-group service RDP tcp-udp

port-object range 3389 3389

object-group network BLACKLIST

network-object host 190.18.107.140

network-object host 121.244.106.2

network-object host 187.11.194.28

network-object host 188.2.237.199

network-object host 190.48.38.184

network-object host 201.47.229.72

network-object host 207.155.250.20

network-object host 209.85.160.56

network-object host 209.85.222.199

network-object host 63.246.10.50

network-object host 66.77.56.84

network-object host 83.168.1.28

network-object host 124.121.68.190

network-object host 174.35.12.35

network-object host 174.37.81.160

network-object host 188.192.97.110

network-object host 188.38.164.31

network-object host 208.75.123.162

network-object host 41.131.81.19

network-object host 65.168.1.28

network-object host 74.125.83.174

network-object host 74.125.83.184

network-object host 74.208.4.191

network-object host 82.230.100.32

network-object host 89.173.0.9

network-object host 89.228.129.126

network-object host 93.86.217.140

network-object host 123.21.107.67

network-object host 178.92.126.228

network-object host 189.10.192.107

network-object host 189.55.158.40

network-object host 189.70.186.225

network-object host 201.11.0.98

network-object host 207.250.58.8

network-object host 208.75.123.163

network-object host 208.75.123.226

network-object host 209.85.211.156

network-object host 209.85.221.146

network-object host 209.85.222.159

network-object host 211.170.114.154

network-object host 24.38.18.233

network-object host 64.49.82.68

network-object host 64.50.170.80

network-object host 65.217.159.98

network-object host 68.200.154.75

network-object host 74.208.4.195

network-object host 75.146.94.187

network-object host 80.14.122.109

network-object host 92.84.207.252

network-object host 93.153.0.155

network-object host 93.73.179.61

network-object host 96.252.6.79

network-object host 99.174.113.44

network-object host 117.6.64.137

network-object host 178.93.144.158

network-object host 190.245.171.12

network-object host 195.174.128.15

network-object host 199.238.178.138

network-object host 208.75.123.228

network-object host 209.85.217.193

network-object host 24.103.215.120

network-object host 74.208.4.194

network-object host 84.24.253.217

network-object host 98.117.251.114

network-object host 12.164.54.36

network-object host 160.75.192.3

network-object host 186.87.3.225

network-object host 190.174.208.57

network-object host 190.59.189.71

network-object host 201.4.160.18

network-object host 207.155.248.47

network-object host 208.111.169.150

network-object host 208.89.132.145

network-object host 209.85.160.46

network-object host 209.85.210.163

network-object host 62.248.88.175

network-object host 64.202.189.25

network-object host 66.165.70.198

network-object host 67.132.93.114

network-object host 69.174.244.158

network-object host 69.67.52.156

network-object host 69.74.142.209

network-object host 74.125.92.25

network-object host 74.203.196.51

network-object host 79.110.128.212

network-object host 87.70.217.30

network-object host 88.146.41.234

network-object host 88.76.127.77

network-object host 93.86.37.241

network-object host 94.70.115.94

network-object host 95.168.100.87

network-object host 123.201.69.230

network-object host 186.9.50.90

network-object host 189.73.235.78

network-object host 195.2.236.11

network-object host 202.63.105.220

network-object host 205.178.146.55

network-object host 205.178.146.57

network-object host 205.178.146.58

network-object host 205.178.146.61

network-object host 209.85.160.184

network-object host 209.85.221.171

network-object host 218.147.37.219

network-object host 64.120.250.82

network-object host 66.227.62.183

network-object host 67.228.227.25

network-object host 87.109.179.247

network-object host 87.163.5.34

network-object host 89.78.170.200

network-object host 89.78.3.139

network-object host 92.29.204.146

network-object host 94.189.180.81

network-object host 95.180.64.244

network-object host 122.169.182.129

network-object host 122.169.182.213

network-object host 111.224.250.131

network-object host 115.184.136.110

network-object host 123.176.39.134

network-object host 123.237.6.173

network-object host 209.250.243.135

network-object host 216.87.164.19

network-object host 217.23.15.143

network-object host 61.49.36.166

network-object host 67.138.108.151

network-object host 67.138.109.158

network-object host 111.118.156.170

network-object host 111.224.250.132

network-object host 111.224.250.133

network-object host 117.96.18.118

network-object host 121.151.149.220

network-object host 121.183.243.205

network-object host 123.19.170.237

network-object host 125.176.14.67

network-object host 183.107.94.151

network-object host 183.97.35.5

network-object host 186.104.230.5

network-object host 187.52.232.152

network-object host 189.211.159.220

network-object host 190.102.239.219

network-object host 190.235.13.233

network-object host 190.35.206.68

network-object host 190.7.109.65

network-object host 200.87.116.58

network-object host 204.188.223.222

network-object host 204.45.2.197

network-object host 208.83.232.3

network-object host 209.250.243.107

network-object host 209.250.243.15

network-object host 209.250.243.83

network-object host 212.200.197.62

network-object host 216.1.203.94

network-object host 220.227.80.226

network-object host 41.186.0.212

network-object host 41.249.114.143

network-object host 58.26.151.196

network-object host 62.19.51.5

network-object host 64.212.196.228

network-object host 67.138.109.68

network-object host 67.138.110.68

network-object host 68.142.134.126

network-object host 70.98.204.112

network-object host 70.98.205.140

network-object host 70.98.205.165

network-object host 74.63.107.46

network-object host 78.97.189.115

network-object host 79.106.2.46

network-object host 84.22.56.50

network-object host 89.123.211.42

network-object host 89.46.84.214

network-object host 90.169.74.53

network-object host 90.185.163.176

network-object host 95.35.16.79

network-object host 95.65.253.179

object-group service SMTP-587 tcp

description SMTP 587

port-object eq 587

object-group service smtp-587 tcp

description smtp 587

port-object eq 587

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service SMTP-465 tcp

port-object eq 465

object-group service TCP-993 tcp

port-object eq 993

object-group service TCP-995 tcp

port-object eq 995

object-group service TCP-7071 tcp

port-object eq 7071

object-group service TCP-10000 tcp

port-object eq 10000

object-group service TCP-8080 tcp

port-object eq 8080

object-group service TCP-8443 tcp

port-object eq 8443

object-group service TCP-23781 tcp

port-object eq 23781

access-list outside_in_inside extended deny tcp object-group BLACKLIST any eq smtp inactive

access-list outside_in_inside extended permit ip any host ACCSUN-EXT

access-list outside_in_inside extended permit tcp any eq www host ACCSUN-EXT eq www

access-list outside_in_inside extended permit ip any host FacileHR-EXT

access-list outside_in_inside extended permit tcp any eq www host FacileHR-EXT eq www

access-list outside_in_inside extended permit ip any host ACCSUN-INT

access-list outside_in_inside extended permit ip any host FacileHR-INT

access-list outside_in_inside extended permit tcp any eq www host ACCSUN-INT eq www

access-list outside_in_inside extended permit tcp any eq www host FacileHR-INT eq www

access-list outside_in_inside extended permit tcp any host ACCSUN-EXT eq ssh

access-list outside_in_inside extended permit tcp any eq ssh host FacileHR-EXT eq ssh

access-list outside_in_inside extended permit ip any host ACCMX-EXT

access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq www

access-list outside_in_inside extended permit ip any host ADDON-EXT

access-list outside_in_inside extended permit ip any host ACCIRON-EXT

access-list outside_in_inside extended permit ip any host NRIYP-EXT

access-list outside_in_inside extended permit tcp any host NRIYP-EXT eq www

access-list outside_in_inside extended permit udp any any object-group aptela

access-list outside_in_inside extended permit udp any host 64.50.254.253 inactive

access-list outside_in_inside extended permit ip any host HRMS-EXT

access-list outside_in_inside extended permit tcp any host HRMS-EXT

access-list outside_in_inside extended permit ip any host HRMS-INT

access-list outside_in_inside extended permit tcp any host HRMS-INT

access-list outside_in_inside extended deny ip host 216.101.194.154 any

access-list outside_in_inside extended deny tcp host 216.101.194.154 any

access-list outside_in_inside extended deny udp host 216.101.194.154 any

access-list outside_in_inside extended permit tcp any any eq 15250

access-list outside_in_inside extended permit tcp any eq 3389 any eq 3389

access-list outside_in_inside extended permit tcp any eq 23781 host 192.168.1.121 eq 23781

access-list outside_in_inside extended permit tcp any eq smtp any eq smtp inactive

access-list outside_in_inside extended deny ip any host 192.168.1.188

access-list outside_in_inside extended deny tcp any host 192.168.1.188

access-list outside_in_inside extended permit tcp any host ADDON-EXT eq smtp

access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq domain

access-list outside_in_inside extended permit tcp any host ADDON-EXT eq ssh

access-list outside_in_inside extended permit tcp any host ADDON-EXT eq https

access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-587

access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-465

access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-993

access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-995

access-list outside_in_inside extended permit tcp any host ADDON-EXT eq imap4

access-list outside_in_inside extended permit tcp any host ADDON-EXT eq pop3

access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8080

access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-10000

access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8443

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended deny ip host 216.101.194.154 any

access-list inside_access_in extended deny tcp host 216.101.194.154 any

access-list inside_access_in extended deny udp host 216.101.194.154 any

access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-7071

access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-10000

access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-8080

access-list inside_access_in extended permit tcp any host Kyle object-group TCP-23781

access-list inside_access_out extended permit tcp any any

access-list inside_access_out extended permit ip any any

access-list inside_access_out extended permit udp any any

access-list inside_access_out extended permit tcp any eq 3389 any eq 3389

access-list inside_access_out extended permit tcp any eq domain any eq domain

access-list inside_access_out extended permit udp any eq domain any eq domain

access-list inside_access_out extended permit tcp any eq www any eq www

access-list inside_access_out extended permit udp any eq www any eq www

access-list inside_access_out extended permit tcp any eq https any eq https

access-list inside_access_out extended permit udp any eq 443 any eq 443

access-list inside_access_out extended permit tcp any eq smtp any eq smtp

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-625.bin

no asdm history enable

arp outside HRMS-INT 0019.d137.8533

arp inside HRMS-INT 0019.d137.8533

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) ACCMX-EXT ACCMX-INT netmask 255.255.255.255

static (inside,outside) ACCSUN-EXT ACCSUN-INT netmask 255.255.255.255

static (outside,inside) ACCSUN-INT ACCSUN-EXT netmask 255.255.255.255

static (outside,inside) ACCIRON-INT ACCIRON-EXT netmask 255.255.255.255

static (outside,inside) HRMS-INT HRMS-EXT netmask 255.255.255.255

static (outside,inside) FacileHR-INT FacileHR-EXT netmask 255.255.255.255 dns

static (inside,outside) FacileHR-EXT FacileHR-INT netmask 255.255.255.255

static (inside,outside) HRMS-EXT HRMS-INT netmask 255.255.255.255

static (inside,outside) ACCIRON-EXT ACCIRON-INT netmask 255.255.255.255

static (inside,outside) NRIYP-EXT NRIYP-INT netmask 255.255.255.255

static (outside,inside) NRIYP-INT NRIYP-EXT netmask 255.255.255.255

static (inside,outside) ADDON-EXT ADDON-INT netmask 255.255.255.255

static (outside,inside) ADDON-INT ADDON-EXT netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_in_inside in interface outside

route outside 0.0.0.0 0.0.0.0 69.130.7.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

snmp-server location AIM Computer Consulting - Closet

snmp-server contact Red Level Networks - support@redlevelnetworks.com

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 30

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 15

console timeout 0

dhcpd dns ACCMX-INT ADDON-INT

dhcpd domain aim-cc.com

dhcpd address 192.168.1.150-192.168.1.250 inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1

webvpn

username redlevel password OqxvfJhMsUFUOSg7 encrypted privilege 15

username aimfwadm password a87SLutMml8bG8MZ encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

policy-map global-policy

class inspection_default

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:a7feb075228263020177238df1fe1ecb

: end

Re: Strange behaviour on network due to improperly configured AS

Marcin Latosiewicz — Thu, 13 Jan 2011 18:45:27 GMT

static (inside,outside) NRIYP-EXT NRIYP-INT netmask 255.255.255.255
static (outside,inside) NRIYP-INT NRIYP-EXT netmask 255.255.255.255
static (inside,outside) ADDON-EXT ADDON-INT netmask 255.255.255.255
static (outside,inside) ADDON-INT ADDON-EXT netmask 255.255.255.255

Thos NATs look wrong to me (and more).

You only need to have static (inside,outside) EXTERNAL_IP INTERNAL_IP most of the time. Creating static NAT the other way ... well not needed and probably asking for trouble, unless some particular functionality is intended with this?

Please remove unnecessary outside,inside NAT statments (and remember that you need to do "clear xlate" after doing any chnages to static config - some traffic might be lost)

Marcin

Re: Strange behaviour on network due to improperly configured AS

bluemookie — Thu, 13 Jan 2011 19:16:20 GMT

All 4 of those entries are incorrect? Or just number 2 and 4? Can you instruct me on how to remove those two using the ASDM graphical interface? Would I find those entries under Configuration/Firewall/NAT Rules? There, I have 2 sections, inside and outside. Inside has 7 static rules, outside has 6 static rules. Am I removing 2 entries from this table?

Re: Strange behaviour on network due to improperly configured AS

bluemookie — Thu, 13 Jan 2011 21:04:04 GMT

Okay, I removed those entries. Here's what my SH RUN looks like now.

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(2)
!
hostname AIM-ASA-FW
domain-name aim-cc.com
enable password 2KFQnbNIdI.2KYOU encrypted
passwd mZkiFXWaEb.AkII6 encrypted
names
name 192.168.1.25 ACCMX-INT
name 192.168.1.44 ACCSUN-INT
name 192.168.1.28 ACCIRON-INT
name 192.168.1.43 HRMS-INT
name 69.130.7.116 ACCIRON-EXT
name 69.130.7.115 ACCMX-EXT
name 69.130.7.117 ACCSUN-EXT
name 69.130.7.118 FacileHR-EXT
name 69.130.7.119 HRMS-EXT
name 192.168.1.42 FacileHR-INT
name 69.130.7.120 NRIYP-EXT
name 69.130.7.126 ADDON-EXT
name 192.168.1.26 ADDON-INT
name 192.168.1.21 Kyle
name 192.168.1.30 NRIYP-INT
!
interface Vlan1
description LAN [INSIDE INTERFACE]
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description T1 LINE [EXTERNAL INTERFACE]
nameif outside
security-level 0
ip address 69.130.7.114 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name aim-cc.com
object-group service aptela udp
description for Aptela Phones
port-object range 10000 20000
port-object range sip 5061
object-group service RDP tcp-udp
port-object range 3389 3389
object-group network BLACKLIST
network-object host 190.18.107.140
network-object host 121.244.106.2
network-object host 187.11.194.28
network-object host 188.2.237.199
network-object host 190.48.38.184
network-object host 201.47.229.72
network-object host 207.155.250.20
network-object host 209.85.160.56
network-object host 209.85.222.199
network-object host 63.246.10.50
network-object host 66.77.56.84
network-object host 83.168.1.28
network-object host 124.121.68.190
network-object host 174.35.12.35
network-object host 174.37.81.160
network-object host 188.192.97.110
network-object host 188.38.164.31
network-object host 208.75.123.162
network-object host 41.131.81.19
network-object host 65.168.1.28
network-object host 74.125.83.174
network-object host 74.125.83.184
network-object host 74.208.4.191
network-object host 82.230.100.32
network-object host 89.173.0.9
network-object host 89.228.129.126
network-object host 93.86.217.140
network-object host 123.21.107.67
network-object host 178.92.126.228
network-object host 189.10.192.107
network-object host 189.55.158.40
network-object host 189.70.186.225
network-object host 201.11.0.98
network-object host 207.250.58.8
network-object host 208.75.123.163
network-object host 208.75.123.226
network-object host 209.85.211.156
network-object host 209.85.221.146
network-object host 209.85.222.159
network-object host 211.170.114.154
network-object host 24.38.18.233
network-object host 64.49.82.68
network-object host 64.50.170.80
network-object host 65.217.159.98
network-object host 68.200.154.75
network-object host 74.208.4.195
network-object host 75.146.94.187
network-object host 80.14.122.109
network-object host 92.84.207.252
network-object host 93.153.0.155
network-object host 93.73.179.61
network-object host 96.252.6.79
network-object host 99.174.113.44
network-object host 117.6.64.137
network-object host 178.93.144.158
network-object host 190.245.171.12
network-object host 195.174.128.15
network-object host 199.238.178.138
network-object host 208.75.123.228
network-object host 209.85.217.193
network-object host 24.103.215.120
network-object host 74.208.4.194
network-object host 84.24.253.217
network-object host 98.117.251.114
network-object host 12.164.54.36
network-object host 160.75.192.3
network-object host 186.87.3.225
network-object host 190.174.208.57
network-object host 190.59.189.71
network-object host 201.4.160.18
network-object host 207.155.248.47
network-object host 208.111.169.150
network-object host 208.89.132.145
network-object host 209.85.160.46
network-object host 209.85.210.163
network-object host 62.248.88.175
network-object host 64.202.189.25
network-object host 66.165.70.198
network-object host 67.132.93.114
network-object host 69.174.244.158
network-object host 69.67.52.156
network-object host 69.74.142.209
network-object host 74.125.92.25
network-object host 74.203.196.51
network-object host 79.110.128.212
network-object host 87.70.217.30
network-object host 88.146.41.234
network-object host 88.76.127.77
network-object host 93.86.37.241
network-object host 94.70.115.94
network-object host 95.168.100.87
network-object host 123.201.69.230
network-object host 186.9.50.90
network-object host 189.73.235.78
network-object host 195.2.236.11
network-object host 202.63.105.220
network-object host 205.178.146.55
network-object host 205.178.146.57
network-object host 205.178.146.58
network-object host 205.178.146.61
network-object host 209.85.160.184
network-object host 209.85.221.171
network-object host 218.147.37.219
network-object host 64.120.250.82
network-object host 66.227.62.183
network-object host 67.228.227.25
network-object host 87.109.179.247
network-object host 87.163.5.34
network-object host 89.78.170.200
network-object host 89.78.3.139
network-object host 92.29.204.146
network-object host 94.189.180.81
network-object host 95.180.64.244
network-object host 122.169.182.129
network-object host 122.169.182.213
network-object host 111.224.250.131
network-object host 115.184.136.110
network-object host 123.176.39.134
network-object host 123.237.6.173
network-object host 209.250.243.135
network-object host 216.87.164.19
network-object host 217.23.15.143
network-object host 61.49.36.166
network-object host 67.138.108.151
network-object host 67.138.109.158
network-object host 111.118.156.170
network-object host 111.224.250.132
network-object host 111.224.250.133
network-object host 117.96.18.118
network-object host 121.151.149.220
network-object host 121.183.243.205
network-object host 123.19.170.237
network-object host 125.176.14.67
network-object host 183.107.94.151
network-object host 183.97.35.5
network-object host 186.104.230.5
network-object host 187.52.232.152
network-object host 189.211.159.220
network-object host 190.102.239.219
network-object host 190.235.13.233
network-object host 190.35.206.68
network-object host 190.7.109.65
network-object host 200.87.116.58
network-object host 204.188.223.222
network-object host 204.45.2.197
network-object host 208.83.232.3
network-object host 209.250.243.107
network-object host 209.250.243.15
network-object host 209.250.243.83
network-object host 212.200.197.62
network-object host 216.1.203.94
network-object host 220.227.80.226
network-object host 41.186.0.212
network-object host 41.249.114.143
network-object host 58.26.151.196
network-object host 62.19.51.5
network-object host 64.212.196.228
network-object host 67.138.109.68
network-object host 67.138.110.68
network-object host 68.142.134.126
network-object host 70.98.204.112
network-object host 70.98.205.140
network-object host 70.98.205.165
network-object host 74.63.107.46
network-object host 78.97.189.115
network-object host 79.106.2.46
network-object host 84.22.56.50
network-object host 89.123.211.42
network-object host 89.46.84.214
network-object host 90.169.74.53
network-object host 90.185.163.176
network-object host 95.35.16.79
network-object host 95.65.253.179
object-group service SMTP-587 tcp
description SMTP 587
port-object eq 587
object-group service smtp-587 tcp
description smtp 587
port-object eq 587
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SMTP-465 tcp
port-object eq 465
object-group service TCP-993 tcp
port-object eq 993
object-group service TCP-995 tcp
port-object eq 995
object-group service TCP-7071 tcp
port-object eq 7071
object-group service TCP-10000 tcp
port-object eq 10000
object-group service TCP-8080 tcp
port-object eq 8080
object-group service TCP-8443 tcp
port-object eq 8443
object-group service TCP-23781 tcp
port-object eq 23781
access-list outside_in_inside extended deny tcp object-group BLACKLIST any eq smtp inactive
access-list outside_in_inside extended permit ip any host ACCSUN-EXT
access-list outside_in_inside extended permit tcp any eq www host ACCSUN-EXT eq www
access-list outside_in_inside extended permit ip any host FacileHR-EXT
access-list outside_in_inside extended permit tcp any eq www host FacileHR-EXT eq www
access-list outside_in_inside extended permit ip any host ACCSUN-INT
access-list outside_in_inside extended permit ip any host FacileHR-INT
access-list outside_in_inside extended permit tcp any eq www host ACCSUN-INT eq www
access-list outside_in_inside extended permit tcp any eq www host FacileHR-INT eq www
access-list outside_in_inside extended permit tcp any host ACCSUN-EXT eq ssh
access-list outside_in_inside extended permit tcp any eq ssh host FacileHR-EXT eq ssh
access-list outside_in_inside extended permit ip any host ACCMX-EXT
access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq www
access-list outside_in_inside extended permit ip any host ADDON-EXT
access-list outside_in_inside extended permit ip any host ACCIRON-EXT
access-list outside_in_inside extended permit ip any host NRIYP-EXT
access-list outside_in_inside extended permit tcp any host NRIYP-EXT eq www
access-list outside_in_inside extended permit udp any any object-group aptela
access-list outside_in_inside extended permit udp any host 64.50.254.253 inactive
access-list outside_in_inside extended permit ip any host HRMS-EXT
access-list outside_in_inside extended permit tcp any host HRMS-EXT
access-list outside_in_inside extended permit ip any host HRMS-INT
access-list outside_in_inside extended permit tcp any host HRMS-INT
access-list outside_in_inside extended deny ip host 216.101.194.154 any
access-list outside_in_inside extended deny tcp host 216.101.194.154 any
access-list outside_in_inside extended deny udp host 216.101.194.154 any
access-list outside_in_inside extended permit tcp any any eq 15250
access-list outside_in_inside extended permit tcp any eq 3389 any eq 3389
access-list outside_in_inside extended permit tcp any eq 23781 host 192.168.1.121 eq 23781
access-list outside_in_inside extended permit tcp any eq smtp any eq smtp inactive
access-list outside_in_inside extended deny ip any host 192.168.1.188
access-list outside_in_inside extended deny tcp any host 192.168.1.188
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq smtp
access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq domain
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq ssh
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq https
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-587
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-465
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-993
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-995
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq imap4
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq pop3
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8080
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-10000
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8443
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended deny ip host 216.101.194.154 any
access-list inside_access_in extended deny tcp host 216.101.194.154 any
access-list inside_access_in extended deny udp host 216.101.194.154 any
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-7071
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-10000
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-8080
access-list inside_access_in extended permit tcp any host Kyle object-group TCP-23781
access-list inside_access_out extended permit tcp any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit udp any any
access-list inside_access_out extended permit tcp any eq 3389 any eq 3389
access-list inside_access_out extended permit tcp any eq domain any eq domain
access-list inside_access_out extended permit udp any eq domain any eq domain
access-list inside_access_out extended permit tcp any eq www any eq www
access-list inside_access_out extended permit udp any eq www any eq www
access-list inside_access_out extended permit tcp any eq https any eq https
access-list inside_access_out extended permit udp any eq 443 any eq 443
access-list inside_access_out extended permit tcp any eq smtp any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp outside HRMS-INT 0019.d137.8533
arp inside HRMS-INT 0019.d137.8533
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) ACCMX-EXT ACCMX-INT netmask 255.255.255.255
static (inside,outside) ACCSUN-EXT ACCSUN-INT netmask 255.255.255.255
static (outside,inside) ACCSUN-INT ACCSUN-EXT netmask 255.255.255.255
static (outside,inside) ACCIRON-INT ACCIRON-EXT netmask 255.255.255.255
static (outside,inside) HRMS-INT HRMS-EXT netmask 255.255.255.255
static (outside,inside) FacileHR-INT FacileHR-EXT netmask 255.255.255.255 dns
static (inside,outside) FacileHR-EXT FacileHR-INT netmask 255.255.255.255
static (inside,outside) HRMS-EXT HRMS-INT netmask 255.255.255.255
static (inside,outside) ACCIRON-EXT ACCIRON-INT netmask 255.255.255.255
static (inside,outside) NRIYP-EXT NRIYP-INT netmask 255.255.255.255
static (inside,outside) ADDON-EXT ADDON-INT netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_in_inside in interface outside
route outside 0.0.0.0 0.0.0.0 69.130.7.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server location AIM Computer Consulting - Closet
snmp-server contact Red Level Networks - support@redlevelnetworks.com
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
console timeout 0
dhcpd dns ACCMX-INT ADDON-INT
dhcpd domain aim-cc.com
!
dhcpd address 192.168.1.150-192.168.1.250 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
webvpn
username redlevel password OqxvfJhMsUFUOSg7 encrypted privilege 15
username aimfwadm password a87SLutMml8bG8MZ encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global-policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:dc3a634149d26ea33b9129e154015536
: end

Re: Strange behaviour on network due to improperly configured AS

Marcin Latosiewicz — Thu, 13 Jan 2011 22:34:04 GMT

Kyle,

Config looks better now

... did you clear existing xlates?

What I would like you do to is to add those lines:

logging buffer-size 1000000

logging buffered info

to the configuration.

Than execute a failing test and check:

show logg | i IP_ADDRESS_OF_CLIENT
show logg | i IP_ADDRESS_OF_SERVER

And attach all and any output you see.

Marcin

Re: Strange behaviour on network due to improperly configured AS

bluemookie — Fri, 14 Jan 2011 15:20:59 GMT

Yes, I did clear xlates as you instructed. Since I am using the GUI to do this, and not telnet or whatever most people use, I'm probably not seeing what you would normally see. This is my output for the lines you gave me...

Result of the command: "logging buffer-size 1000000"

The command has been sent to the device

Result of the command: "logging buffered info"

The command has been sent to the device

Result of the command: "show logg | i IP_ADDRESS_OF_CLIENT"

The command has been sent to the device

Result of the command: "show logg | i IP_ADDRESS_OF_SERVER"

The command has been sent to the device

Should I be using something else other than the ASDM GUI? I haven't seen any failures since yesterday afternoon.

Re: Strange behaviour on network due to improperly configured AS

Marcin Latosiewicz — Fri, 14 Jan 2011 16:21:50 GMT

Kyle,

Well obviously IP_ADDRESS_OF_CLIENT should be substituted with IP of client which is attempting to connect to server. 😉

I'm not sure if the ASDM CLU access will return you the lines we need.

ASDM is probably not the best to do troubleshooting 😉

I assume no problem since yesterday afternoon is a good sign? How often was the problem happening before ;-D

BTW xlate = translation table entry. static command introduces a static xlate into the table.. for clarity sake.

Marcin

Re: Strange behaviour on network due to improperly configured AS

bluemookie — Fri, 14 Jan 2011 16:26:46 GMT

So, what should I use? Telnet? Just telnet to it and log on as the normal user that I logon with on the GUI? And I would see this problem once an hour.

Re: Strange behaviour on network due to improperly configured AS

Marcin Latosiewicz — Fri, 14 Jan 2011 16:34:54 GMT

Kyle,

Telnet/ssh access with same credentials you use for ASDM access should be fine.

Since you have not seen it for almost 24 hours, I'm hoping for the best 😉

Marcin