Website not accessible on single ASA interface

Trebien21 — Fri, 21 Feb 2020 17:39:10 GMT

I am working with an old ASA 5505 version 8.4(3). On this ASA there are three interfaces: Public [VLAN 10] 172.16.0.1/24, Private [VLAN 5] 172.16.1.1/24 and Outside [VLAN1] External IP. If I plug my laptop into a switch on the Private interface I can get to this external website (hosted by an outside company). When I connect my laptop to the Public interface I get a website timed out error. I captured session information from my laptop using Fiddler for both networks. On Public I see the HTTP request timed out and it was not able to authenticate with the site certificate. Looking at the firewall we are using deprecated protocols and ciphers. I would update the firewall with the latest firmware but there is no service contract.

All I am asking is: could the reason we cannot navigate to the site on the Public interface because the firewall is using old ciphers/protocols? If so, how is it possible one interface is using one suite while another is using something different? If not, what else could be blocking the site on the firewall?

I say it's the firewall because I am testing with a laptop that has no AV, Windows firewall disabled, no other software and it's not on the domain. It's not software on the computers causing the problem.

Currently the ASA can only support SSL 3.0/TLS 1.0 because no one ever updated the device.

I ran a packet capture on the firewall and saw traffic going from my computer through the Public interface but nothing from/to the Outside interface from the external site. Something has to be blocking traffic on the firewall but I don't know what it is.

**EDIT** Here is part of my config and the result of a packet-tracer:

interface Vlan2
 nameif private
 security-level 50
 ip address 10.0.2.1 255.255.255.0 
!
interface Vlan3
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.224 
!
interface Vlan10
 nameif public
 security-level 100
 ip address 172.16.0.254 255.255.255.0 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network public-net
 subnet 172.16.0.0 255.255.255.0
object network outside-nat
 host 1.1.1.1
object network private_10.0.2.0
 subnet 10.0.2.0 255.255.255.0
access-list outside_access_in extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu private 1500
mtu outside 1500
mtu public 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
object network public-net
 nat (public,outside) dynamic interface
object network private_10.0.2.0
 nat (private,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

And here is the packet tracer:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network public-net
 nat (public,outside) dynamic interface
Additional Information:
Dynamic translate 172.16.0.22/443 to 1.1.1.1/261

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 158038629, packet dispatched to next 
module

Result:
input-interface: public
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Re: Website not accessible on single ASA interface

Marvin Rhoads — Fri, 01 Nov 2019 11:48:49 GMT

Your ASA configuration appears correct from what you've shared.

Its older software and inability to support newer ciphers only affects traffic that terminates on the ASA itself - not anything going THROUGH the ASA.

How it is setup physically? i.e. is your public VLAN 10 traffic connecting to the ASA via a trunk or on a dedicated interface?

Re: Website not accessible on single ASA interface

Trebien21 — Fri, 01 Nov 2019 12:01:12 GMT

It's a dedicated interface from switch to ASA it's a trunk from the ASA to the ISP. So my laptop plugs into a switch on the public network that switch passes traffic to the ASA the ASA sends it out the trunk to the ISP.

Re: Website not accessible on single ASA interface

Marvin Rhoads — Sat, 02 Nov 2019 04:54:26 GMT

Did you confirm you can resolve the address of the website's FQDN when you plug into the public interface?

Have you tried capturing traffic on your Outside interface to/from the public web server?

Try this:

capture capout interface outside match tcp any <website ip> 255.255.255.255 eq 80

(or "eq 443" for https).

topic Re: Website not accessible on single ASA interface in Network Security

Website not accessible on single ASA interface

Re: Website not accessible on single ASA interface

Re: Website not accessible on single ASA interface

Re: Website not accessible on single ASA interface