https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3314199#M997244 1025 is just random source port you can take any port above 1024 Fri, 19 Jan 2018 02:46:50 GMT Pawan Raut 2018-01-19T02:46:50Z https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3313459#M997143 <P>&nbsp;<SPAN>Hello,there may be some problems with the ASA's config, but I can find where are the problems.</SPAN></P> <P>Below is the basic config for this ASA:</P> <P>DMZ&nbsp;ip address :　192.168.3.254/24</P> <P><SPAN>Outside ip address: &nbsp;125.35.20.188/26</SPAN></P> <P><SPAN>acs server ip address:&nbsp; 192.168.3.240/24 &nbsp;acs server version 5.2</SPAN></P> <P>&nbsp;</P> <P><SPAN> DMZ &nbsp; access ACS server through HTTPS https:// 192.168.3.240/acsadmin&nbsp; successfully</SPAN></P> <P><SPAN>Outside &nbsp;access ACS server through HTTPS https:// 192.168.3.240/acsadmin&nbsp;&nbsp;failed</SPAN></P> <P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;https:// 125.35.20.145/acsadmin &nbsp;failed</SPAN></P> <P><SPAN>where are the problems.thanks!</SPAN></P> <P>&nbsp;</P> <P><SPAN>Please get the detailed config in the attached file</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 21 Feb 2020 15:09:41 GMT https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3313459#M997143 supermanwwc 2020-02-21T15:09:41Z https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3313554#M997144 <P>Can you enable traffic from the lower security level to high security level and try it again.</P> <P>&nbsp;</P> <P>same-security-traffic permit inter-interface<BR />same-security-traffic permit intra-interface</P> <P>&nbsp;</P> <P>Cheers</P> <P>&nbsp;</P> Thu, 18 Jan 2018 10:43:17 GMT https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3313554#M997144 denilson.mota 2018-01-18T10:43:17Z https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3313590#M997145 <P>Hello,</P> <P>&nbsp;</P> <P>The config looks okay, can you please take syslogs on ASA and attach here.</P> <P>Also, could be an issue over internet routing for the NAT ip address 125.35.20.145.</P> <P>&nbsp;</P> <P>You can take a capture:</P> <P>&nbsp;</P> <P>capture capo interface outside match tcp any host 125.35.20.145&nbsp;</P> <P>&nbsp;</P> <P>then initiate traffic from outside and take output of 'show cap capo'</P> <P>&nbsp;</P> <P>Please take syslogs and attach these outputs. Same Security commands is not required since the security level is different for these interfaces.</P> <P>&nbsp;</P> <P>-</P> <P>HTH</P> <P>AJ</P> Thu, 18 Jan 2018 11:29:48 GMT https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3313590#M997145 Ajay Saini 2018-01-18T11:29:48Z https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3313922#M997146 <P>Can you check you have proper ACL and NAT rule on ASA. Could you do packet-tracer on ASA</P> <P>packet-tracer input outside&nbsp; tcp &lt;sourec ip&gt; 1025 &lt;ACS IP address&gt; 443 de</P> <P>&nbsp;</P> Thu, 18 Jan 2018 18:35:16 GMT https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3313922#M997146 Pawan Raut 2018-01-18T18:35:16Z https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3314179#M997147 <P><SPAN>Thank you very much for your advice。</SPAN></P> <P><SPAN>I didn't change any configuration，I tried again today，only this command to collect logs （capture capo interface outside match tcp any host 125.35.20.145&nbsp;）。</SPAN></P> <P><SPAN><A href="https://125.35.20.145/acsadmin/login.jsp&nbsp;&nbsp;successfully" target="_blank">https://125.35.20.145/acsadmin/login.jsp&nbsp;&nbsp;successfully</A> from Outside.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN><STRONG>Please see the attached document，THAK YOUR VERY MUCH AGAIN.</STRONG></SPAN></P> <P>&nbsp;</P> Fri, 19 Jan 2018 02:02:04 GMT https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3314179#M997147 supermanwwc 2018-01-19T02:02:04Z https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3314181#M997241 <P><SPAN>Thank you very much for your help.</SPAN></P> <P><SPAN>but&nbsp;security level is different。</SPAN></P> Fri, 19 Jan 2018 02:05:10 GMT https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3314181#M997241 supermanwwc 2018-01-19T02:05:10Z https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3314183#M997242 <P><SPAN>Thank you very much for your help.</SPAN></P> <P><SPAN>packet-tracer input outside&nbsp; tcp &lt;sourec ip&gt; 1025 &lt;ACS IP address&gt; 443 ，Why is the 1025 port？</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> Fri, 19 Jan 2018 02:13:06 GMT https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3314183#M997242 supermanwwc 2018-01-19T02:13:06Z https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3314199#M997244 1025 is just random source port you can take any port above 1024 Fri, 19 Jan 2018 02:46:50 GMT https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3314199#M997244 Pawan Raut 2018-01-19T02:46:50Z https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3315223#M997246 <P>Hello,</P> <P>&nbsp;</P> <P>From what I can tell, this is purely client-server issue and not a firewall issue. I checked the captures you attached, and:</P> <P>-There is clearly a 3-way handshake done successfully</P> <P>-There is a reset then sent from&nbsp;218.247.232.86 at a certain time, could be the application specific traffic.</P> <P>&nbsp;</P> <P>Couple of more things to figure out the issue:</P> <P>1. Is the same traffic working from behind the firewall</P> <P>2. Is there a WAF (Web Application Firewall) or any other appliance that could be causing this issue</P> <P>3. There could be an IPS issue as well.</P> <P>&nbsp;</P> <P>-HTH</P> <P>AJ</P> Sun, 21 Jan 2018 04:53:31 GMT https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3315223#M997246 Ajay Saini 2018-01-21T04:53:31Z https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3315581#M997248 <UL> <LI> <H1 class="keyword">Thank your for your suggestion. It is very useful for us.</H1> </LI> </UL> Mon, 22 Jan 2018 02:25:56 GMT https://community.cisco.com/t5/network-security/asa-5512-outside-can-not-access-acs-server-through-https-in-dmz/m-p/3315581#M997248 supermanwwc 2018-01-22T02:25:56Z