Asa 5510 blocks https access to Internet websites

kilias · ‎01-21-2013

I have installed a new ASA5510 with CSC, and everything is working properly except the access to websites using https. All sites/access to them seem to be blocked by the ASA. I have read that this access is by default enabled and I have tried to add configuration to allow https access to the firewall but without success. Can someone help me on this?

Below is the system configuration:

ASA Version 8.4(4)
!
hostname test
enable password XXXXXXX
passwd XXXXXX encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 192.168.240.10 255.255.255.0
!
interface Ethernet0/1
nameif Internal
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MailInternal
host 192.168.10.190
object network mailServer
host 194.219.197.80
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Internal 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (Internal,Outside) dynamic interface
access-group OUTSIDE_IN_ACL in interface Outside
route Outside 0.0.0.0 0.0.0.0 192.168.240.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 192.168.10.0 255.255.255.0 Internal
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 193.92.150.3 source Outside prefer
webvpn
username rtel password vj1wQJw/7OjGiJ/3 encrypted
!
class-map Outside-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect icmp
inspect ctiqbe
inspect icmp error
inspect ils
inspect pptp
inspect mgcp
inspect snmp
policy-map Outside-policy
class Outside-class
csc fail-open
!
service-policy global_policy global
service-policy Outside-policy interface Outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e821552c28089bf25b5a3449cd9f3835
: end
test#

Julio Carvajal · ‎01-21-2013

Hello Kilias,

What version on the CSC are you running?

Also the configuration is not the one recommended...

Do the following

access-list CSC deny ip host x.x.x.x (CSC module Ip address) any

access-list CSC permit tcp any any eq 25

access-list CSC permit tcp any any eq 80

access-list CSC permit tcp any any eq 21

access-list CSC permit tcp any any eq 110

access-list CSC permit tcp any any eq 443 ( If you are running a version that supports the inspection/filtering of HTTPS)

class-map CSC

match access-list CSC

policy-map Outside-policy

no class Outside-class

policy-map Outside-policy

class CSC

csc fail-open

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

kilias · ‎01-21-2013

Dear Jcarvaja,

I have entered the above code but it still doesn't work. I think the problem is in the firewall and not in the CSC.

Please look at the following output from the ASA syslog:

6|Jan 21 2013|19:58:14|302013|192.168.10.10|55598|195.39.236.226|443|Built outbound TCP connection 34563 for Outside:195.39.236.226/443 (195.39.236.226/443) to Internal:192.168.10.10/55598 (192.168.240.10/55598)

6|Jan 21 2013|19:58:13|302014|195.39.236.226|443|192.168.10.10|55598|Teardown TCP connection 34562 for Outside:195.39.236.226/443 to Internal:192.168.10.10/55598 duration 0:00:00 bytes 0 TCP Reset-O

6|Jan 21 2013|19:58:13|302013|192.168.10.10|55598|195.39.236.226|443|Built outbound TCP connection 34562 for Outside:195.39.236.226/443 (195.39.236.226/443) to Internal:192.168.10.10/55598 (192.168.240.10/55598)

6|Jan 21 2013|19:58:13|302014|195.39.236.226|443|192.168.10.10|55598|Teardown TCP connection 34561 for Outside:195.39.236.226/443 to Internal:192.168.10.10/55598 duration 0:00:00 bytes 0 TCP Reset-O

6|Jan 21 2013|19:58:13|302014|195.39.236.226|443|192.168.10.10|55597|Teardown TCP connection 34560 for Outside:195.39.236.226/443 to Internal:192.168.10.10/55597 duration 0:00:00 bytes 0 TCP Reset-O

6|Jan 21 2013|19:58:13|302013|192.168.10.10|55598|195.39.236.226|443|Built outbound TCP connection 34561 for Outside:195.39.236.226/443 (195.39.236.226/443) to Internal:192.168.10.10/55598 (192.168.240.10/55598)

It seems that the firewall blocks any internet https access and I don't know why.

I have also checked the https access directly to the router and it works OK, so the problem is for sure within the ASA.

ASA version is 8.44-K8

CSC SSM version is 6.3.1172.0

Any ideas of how to resolve this?

Julio Carvajal · ‎01-21-2013

Hello,

Actually the logs say you are receiving a reset packet from the outside servers...

Do you get the same logs if you try to access another HTTPS server??

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

kilias · ‎01-21-2013

Yes, to any https server.

BR

Dimitrios

Julio Carvajal · ‎01-22-2013

Hello,

That is pretty weird as everything seems to be good on your config,

What happens if you take the ASA out of the picture, does it work?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

kilias · ‎01-27-2013

Dear jcarvaja.

I am sorry for the delayed reply but I was out of town for a project. Well, if ASA is out of the picture, everything works fine.

Today I managed to have a work around and pinpointed the problem to the CSC rather to the firewall. I have exluded the csc for all https traffic, and the access to https sites is OK now. This is a semi-acceptable solution because the office can work OK but the ASA can't perform CSC management for https traffic.

Anyhow, I will look into this in more detail during the week and will post more info of how to solve the problem.