I have installed a new ASA5510 with CSC, and everything is working properly except the access to websites using https. All sites/access to them seem to be blocked by the ASA. I have read that this access is by default enabled and I have tried to add configuration to allow https access to the firewall but without success. Can someone help me on this?
Below is the system configuration:
ASA Version 8.4(4)
enable password XXXXXXX
passwd XXXXXX encrypted
ip address 192.168.240.10 255.255.255.0
ip address 192.168.10.1 255.255.255.0
no ip address
no ip address
ip address 192.168.1.1 255.255.255.0
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MailInternal
object network mailServer
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Internal 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network obj_any
nat (Internal,Outside) dynamic interface
access-group OUTSIDE_IN_ACL in interface Outside
route Outside 0.0.0.0 0.0.0.0 192.168.240.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 192.168.10.0 255.255.255.0 Internal
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 126.96.36.199 source Outside prefer
username rtel password vj1wQJw/7OjGiJ/3 encrypted
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect icmp error
service-policy global_policy global
service-policy Outside-policy interface Outside
prompt hostname context
no call-home reporting anonymous
What version on the CSC are you running?
Also the configuration is not the one recommended...
Do the following
access-list CSC deny ip host x.x.x.x (CSC module Ip address) any
access-list CSC permit tcp any any eq 25
access-list CSC permit tcp any any eq 80
access-list CSC permit tcp any any eq 21
access-list CSC permit tcp any any eq 110
access-list CSC permit tcp any any eq 443 ( If you are running a version that supports the inspection/filtering of HTTPS)
match access-list CSC
no class Outside-class
I have entered the above code but it still doesn't work. I think the problem is in the firewall and not in the CSC.
Please look at the following output from the ASA syslog:
6|Jan 21 2013|19:58:14|302013|192.168.10.10|55598|188.8.131.52|443|Built outbound TCP connection 34563 for Outside:184.108.40.206/443 (220.127.116.11/443) to Internal:192.168.10.10/55598 (192.168.240.10/55598)
6|Jan 21 2013|19:58:13|302014|18.104.22.168|443|192.168.10.10|55598|Teardown TCP connection 34562 for Outside:22.214.171.124/443 to Internal:192.168.10.10/55598 duration 0:00:00 bytes 0 TCP Reset-O
6|Jan 21 2013|19:58:13|302013|192.168.10.10|55598|126.96.36.199|443|Built outbound TCP connection 34562 for Outside:188.8.131.52/443 (184.108.40.206/443) to Internal:192.168.10.10/55598 (192.168.240.10/55598)
6|Jan 21 2013|19:58:13|302014|220.127.116.11|443|192.168.10.10|55598|Teardown TCP connection 34561 for Outside:18.104.22.168/443 to Internal:192.168.10.10/55598 duration 0:00:00 bytes 0 TCP Reset-O
6|Jan 21 2013|19:58:13|302014|22.214.171.124|443|192.168.10.10|55597|Teardown TCP connection 34560 for Outside:126.96.36.199/443 to Internal:192.168.10.10/55597 duration 0:00:00 bytes 0 TCP Reset-O
6|Jan 21 2013|19:58:13|302013|192.168.10.10|55598|188.8.131.52|443|Built outbound TCP connection 34561 for Outside:184.108.40.206/443 (220.127.116.11/443) to Internal:192.168.10.10/55598 (192.168.240.10/55598)
It seems that the firewall blocks any internet https access and I don't know why.
I have also checked the https access directly to the router and it works OK, so the problem is for sure within the ASA.
ASA version is 8.44-K8
CSC SSM version is 6.3.1172.0
Any ideas of how to resolve this?
Actually the logs say you are receiving a reset packet from the outside servers...
Do you get the same logs if you try to access another HTTPS server??
That is pretty weird as everything seems to be good on your config,
What happens if you take the ASA out of the picture, does it work?
I am sorry for the delayed reply but I was out of town for a project. Well, if ASA is out of the picture, everything works fine.
Today I managed to have a work around and pinpointed the problem to the CSC rather to the firewall. I have exluded the csc for all https traffic, and the access to https sites is OK now. This is a semi-acceptable solution because the office can work OK but the ASA can't perform CSC management for https traffic.
Anyhow, I will look into this in more detail during the week and will post more info of how to solve the problem.