It seems that all public IP - Page 2

Daniel Leonard · ‎06-05-2014

Hello everybody,

At the customer site, we have a ASA5510 (ASA version 9.1.2 - ASDM 7.2.1).

The problem is that there is only one particular website blocked, without any logic reason. According to the configuration we close no specific traffic. In fact; all traffic from that interface (higher security level) can go to the (WAN) interface with a lower security level.

ASA interface settings:

inside: 192.168.1.254/24 (local lan)
ts-data: 172.19.4.240/24 (another local LAN interface, used for traffic acrossing private WAN)
ts-inet: 83.167.X.X (this is the public internet connection

example:
From host 192.168.1.51(inside), the website http://www.adhocdata.nl could not be reached and is blocked by the ASA. The strange thing is, it seems to be blocked by the wrong interface/access-list (ts-data). This interface has nothing to do with it...because the traffic is initiated from the inside interface to the TS-inet (WAN)interface. So why is the wrong access list blocking only this specific website. All the other web traffic runs smoothly.

See attachment for log information.

Hopefully someone can help me.

Thanks in advance.

Please rate or mark answered for helpful posts.

Daniel Leonard · ‎06-05-2014

Hi Marvin!

This is the result:

RSB-W-ASA# sh cap capin

12 packets captured

1: 16:19:53.285660 802.1Q vlan#99 P0 192.168.1.63.62575 > 217.119.236.139.80: S 2890204037:2890204037(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2: 16:19:53.289429 802.1Q vlan#99 P0 192.168.1.63.62576 > 217.119.236.139.80: S 3819549090:3819549090(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
3: 16:19:53.301253 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62575: R 59869520:59869520(0) ack 2890204038 win 8192
4: 16:19:53.304809 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62576: R 1539803214:1539803214(0) ack 3819549091 win 8192
5: 16:19:53.796620 802.1Q vlan#99 P0 192.168.1.63.62575 > 217.119.236.139.80: S 2890204037:2890204037(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
6: 16:19:53.796925 802.1Q vlan#99 P0 192.168.1.63.62576 > 217.119.236.139.80: S 3819549090:3819549090(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
7: 16:19:53.804813 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62576: R 1133326952:1133326952(0) ack 3819549091 win 8192
8: 16:19:53.804890 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62575: R 555211610:555211610(0) ack 2890204038 win 8192
9: 16:19:54.296768 802.1Q vlan#99 P0 192.168.1.63.62575 > 217.119.236.139.80: S 2890204037:2890204037(0) win 8192 <mss 1460,nop,nop,sackOK>
10: 16:19:54.297195 802.1Q vlan#99 P0 192.168.1.63.62576 > 217.119.236.139.80: S 3819549090:3819549090(0) win 8192 <mss 1460,nop,nop,sackOK>
11: 16:19:54.334775 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62575: R 786977574:786977574(0) ack 2890204038 win 8192
12: 16:19:54.334867 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.63.62576: R 1027018004:1027018004(0) ack 3819549091 win 8192
12 packets shown
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA# sh cap capout

0 packet captured

0 packet shown
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA#

--

I've used this captures:

RSB-W-ASA# show capture
capture capin type raw-data access-list asdm_cap_selector_inside interface inside [Capturing - 952 bytes]
capture capout type raw-data access-list asdm_cap_selector_outside interface ts-inet [Capturing - 0 bytes]
RSB-W-ASA#

Please rate or mark answered for helpful posts.

Marvin Rhoads · ‎06-05-2014

hmm, I'm not sure what's going on with capout but capin shows the return traffic from the web site headed back to the client PC

Marius Gunnerud · ‎06-06-2014

If you do the same capture but instead put the capout on the ts-data interface....

--

Please rememebr to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Daniel Leonard · ‎06-06-2014

Hi,

Here's the output. Is looks like the ASA doesn't route the traffic through the ts-inet.. but why..

RSB-W-ASA# sh capture
capture capin type raw-data access-list asdm_cap_selector_inside interface inside [Capturing - 0 bytes]
capture capout type raw-data access-list asdm_cap_selector_outside interface ts-inet [Capturing - 0 bytes]
capture captsdata type raw-data access-list asdm_cap_selector_tsdata interface ts-data [Capturing - 0 bytes]
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA# sh capture
capture capin type raw-data access-list asdm_cap_selector_inside interface inside [Capturing - 952 bytes]
capture capout type raw-data access-list asdm_cap_selector_outside interface ts-inet [Capturing - 0 bytes]
capture captsdata type raw-data access-list asdm_cap_selector_tsdata interface ts-data [Capturing - 0 bytes]
RSB-W-ASA#
RSB-W-ASA#
RSB-W-ASA# sh cap capin

12 packets captured

1: 14:06:57.274216 802.1Q vlan#99 P0 192.168.1.62.62520 > 217.119.236.139.80: S 2656530156:2656530156(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2: 14:06:57.274567 802.1Q vlan#99 P0 192.168.1.62.62521 > 217.119.236.139.80: S 3302571231:3302571231(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
3: 14:06:57.280792 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62520: R 907382114:907382114(0) ack 2656530157 win 8192
4: 14:06:57.281143 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62521: R 902039472:902039472(0) ack 3302571232 win 8192
5: 14:06:57.779714 802.1Q vlan#99 P0 192.168.1.62.62521 > 217.119.236.139.80: S 3302571231:3302571231(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
6: 14:06:57.780004 802.1Q vlan#99 P0 192.168.1.62.62520 > 217.119.236.139.80: S 2656530156:2656530156(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
7: 14:06:57.786244 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62521: R 188947886:188947886(0) ack 3302571232 win 8192
8: 14:06:57.786488 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62520: R 1985605340:1985605340(0) ack 2656530157 win 8192
9: 14:06:58.273942 802.1Q vlan#99 P0 192.168.1.62.62521 > 217.119.236.139.80: S 3302571231:3302571231(0) win 8192 <mss 1460,nop,nop,sackOK>
10: 14:06:58.274262 802.1Q vlan#99 P0 192.168.1.62.62520 > 217.119.236.139.80: S 2656530156:2656530156(0) win 8192 <mss 1460,nop,nop,sackOK>
11: 14:06:58.280609 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62521: R 1470588602:1470588602(0) ack 3302571232 win 8192
12: 14:06:58.280792 802.1Q vlan#99 P0 217.119.236.139.80 > 192.168.1.62.62520: R 1896160456:1896160456(0) ack 2656530157 win 8192
12 packets shown
RSB-W-ASA#
RSB-W-ASA# sh cap capout

0 packet captured

0 packet shown

RSB-W-ASA# sh cap captsdata

0 packet captured

0 packet shown
RSB-W-ASA#

Please rate or mark answered for helpful posts.

Daniel Leonard · ‎06-06-2014

It seems that all public IP addresses that start with 217.119.x.x give problems. IP addresses starting with 217.118.x.x or 217.120 give no problems..

Please rate or mark answered for helpful posts.

Daniel Leonard · ‎06-06-2014

When I ping directly from the ASA interface "ts-inet" (WAN) to 8.8.8.8, everything works well. When I ping to 217.119.236.139 from the same interface it doens't work and all of the captures stays clean..

Please rate or mark answered for helpful posts.

Marius Gunnerud · ‎06-06-2014

I can not find any reason why the ASA would only drop traffic to 217.119.236.139. I am assuming this is a public website and that the remote side doesn't have any local rules blocking your http requests?

By the look of your packet tracer the packet is allowed through the ASA and exits the correct interface as well.

To suggest an extreme, have you tried restarting you ASA?

If that doesn't work, or you don't want to do it...and ofcourse depending on how important it is for your users to access this website, I again suggest opening a TAC case to get this resolved.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

ASA5510 is blocking one specific website