03-21-2011 11:09 PM - edited 03-11-2019 01:10 PM
Ok so I have a weird issues. We us a county facility as our ISP so to speak. Basically our WAN Router is connected over OPT-MAN to this facility. We have ACL's opened on the ASA to allow all traffic inbound/outbound to this facility. Everything works great accept they have rolled out a new application that is web-based. There are several modules to this application. All work except the model that communicates over port 3001. The IP address that our site needs to get to over port 3001 is 10.94.1.109. I can telnet to that port however if the site is access via the https web address (it then launches a terminal session that runs a script to connet to telnet//10.94.1.109:3001 I get a popup window saying "Could Not Connect to Host". I can ping, tracert and resolve successfully via DNS to this address. What am I missing? I've attached the sanitized ASA Config:
(Critical Side Note: I was able to successfully bypass my ASA and directly connect to the site via public IP with no error so it really seems as if the config of the ASA is no resetting the connection)ASA Version 8.0(2)
!
hostname ACME-Perimeter
domain-name acme.acre.ca.us
names
name 10.94.1.109 InterWeb description Web network OPP
dns-guard
!
interface GigabitEthernet0/0
speed 1000
duplex full
nameif Outside
security-level 0
ip address X.X.X.X.25 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif Inside
security-level 100
ip address 192.168.100.139 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 192.168.100.6
name-server 192.168.100.3
domain-name acme.acre.ca.us
same-security-traffic permit intra-interface
object-group network ACME
network-object 192.168.31.0 255.255.255.0
network-object 192.168.32.0 255.255.255.0
network-object 192.168.35.0 255.255.255.0
network-object 192.168.36.0 255.255.255.0
network-object 192.168.37.0 255.255.255.0
network-object 192.168.38.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
network-object 192.168.41.0 255.255.255.0
network-object 192.168.42.0 255.255.255.0
network-object 10.16.0.0 255.255.0.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Inside_nat_outbound extended permit ip object-group ACME any
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit tcp any host X.X.X.X.21 eq smtp
access-list Outside_access_in extended permit tcp any host X.X.X.X.21 eq www
access-list Outside_access_in extended permit tcp any host X.X.X.X.26 eq https
access-list Outside_access_in extended permit tcp any host X.X.X.X.26 eq www
access-list Outside_access_in extended permit tcp any host X.X.X.X.26 object-group Subfinder
access-list Outside_access_in extended permit ip host 10.94.1.10 any
access-list Outside_access_in extended permit udp host 10.94.1.10 any eq snmptrap
access-list Outside_access_in extended permit tcp any host X.X.X.X.200 object-group RDP
access-list Outside_access_in extended permit tcp any host X.X.X.X.23 eq https
access-list Outside_access_in extended permit tcp any host X.X.X.X.21 eq https
access-list Outside_access_in extended permit tcp any any object-group Barracuda
access-list Outside_access_in extended permit tcp any host X.X.X.X.131 eq https
access-list Outside_access_in remark For Lenette
access-list Outside_access_in extended permit tcp any host X.X.X.X.201 object-group RDP
access-list Outside_access_in extended permit tcp host InterWeb any eq 3001
access-list Outside_access_in extended permit ip host InterWeb any
access-list INTERNET extended permit tcp host 192.168.100.201 any eq www
access-list INTERNET extended permit tcp host 192.168.100.201 any eq https
access-list INTERNET extended permit tcp host 192.168.100.202 any eq https
access-list INTERNET extended permit tcp host 192.168.100.202 any eq www
access-list INTERNET extended permit tcp host 192.168.100.211 any eq https
access-list INTERNET extended permit tcp host 192.168.100.211 any eq www
access-list ACSTACACS extended permit tcp any any eq www
access-list ACSTACACS extended permit tcp any any eq https
access-list Inside_access_in extended permit ip any any
access-list cap extended permit tcp any host X.X.X.X.21 eq smtp
access-list cap extended permit tcp any host X.X.X.X.21 eq www
access-list global_mpc extended permit ip 10.94.0.0 255.255.0.0 any
access-list global_mpc extended permit ip any 10.94.0.0 255.255.0.0
access-list Inside_nat0_outbound extended permit ip 10.16.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list acme_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list acme_splitTunnelAcl standard permit 10.16.0.0 255.255.0.0
access-list inside_out extended deny tcp any host 94.100.25.138 eq 4723
access-list inside_out extended permit ip any any
!
tcp-map OPP-map
no ttl-evasion-protection
urgent-flag allow
!
pager lines 24
logging enable
logging monitor debugging
logging history emergencies
logging asdm informational
logging mail emergencies
logging from-address asa@acme.acre.ca.us
logging recipient-address Helen@acme.acre.ca.us level errors
logging host Inside 192.168.100.79
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN_Users 192.168.200.1-192.168.200.15 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
global (Outside) 2 X.X.X.X.21
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 2 10.16.2.135 255.255.255.255
nat (Inside) 2 192.168.100.20 255.255.255.255
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp X.X.X.X.21 www 10.16.2.135 www netmask 255.255.255.255
static (Inside,Outside) tcp X.X.X.X.21 smtp 192.168.100.20 smtp netmask 255.255.255.255
static (Inside,Outside) tcp X.X.X.X.21 https 10.16.2.135 https netmask 255.255.255.255
static (Inside,Outside) X.X.X.X.26 192.168.100.4 netmask 255.255.255.255
static (Inside,Outside) 192.168.100.1 192.168.100.1 netmask 255.255.255.255
static (Inside,Outside) 192.168.31.1 192.168.31.1 netmask 255.255.255.255
static (Inside,Outside) 192.168.32.1 192.168.32.1 netmask 255.255.255.255
static (Inside,Outside) 192.168.35.1 192.168.35.1 netmask 255.255.255.255
static (Inside,Outside) 192.168.36.1 192.168.36.1 netmask 255.255.255.255
static (Inside,Outside) 192.168.37.1 192.168.37.1 netmask 255.255.255.255
static (Inside,Outside) 192.168.38.1 192.168.38.1 netmask 255.255.255.255
static (Inside,Outside) 192.168.40.1 192.168.40.1 netmask 255.255.255.255
static (Inside,Outside) 192.168.41.1 192.168.41.1 netmask 255.255.255.255
static (Inside,Outside) 192.168.42.1 192.168.42.1 netmask 255.255.255.255
static (Inside,Outside) X.X.X.X.23 192.168.100.136 netmask 255.255.255.255
static (Inside,Outside) X.X.X.X.200 192.168.100.130 netmask 255.255.255.255
static (Inside,Outside) X.X.X.X.50 192.168.100.114 netmask 255.255.255.255
static (Inside,Outside) X.X.X.X.51 192.168.100.116 netmask 255.255.255.255
static (Inside,Outside) X.X.X.X.54 192.168.100.98 netmask 255.255.255.255
static (Inside,Outside) X.X.X.X.56 192.168.100.96 netmask 255.255.255.255
static (Inside,Outside) X.X.X.X.58 192.168.100.110 netmask 255.255.255.255
static (Inside,Outside) X.X.X.X.57 192.168.100.117 netmask 255.255.255.255
static (Inside,Outside) X.X.X.X.131 192.168.100.131 netmask 255.255.255.255
static (Inside,Outside) 10.16.100.6 10.16.100.6 netmask 255.255.255.255
static (Inside,Outside) 10.16.161.1 10.16.161.1 netmask 255.255.255.255
static (Inside,Outside) 10.16.141.1 10.16.141.1 netmask 255.255.255.255
static (Inside,Outside) 10.161.121.1 10.16.121.1 netmask 255.255.255.255
static (Inside,Outside) 10.16.111.1 10.16.111.1 netmask 255.255.255.255
static (Inside,Outside) 10.16.131.1 10.16.131.1 netmask 255.255.255.255
static (Inside,Outside) 10.16.151.1 10.16.151.1 netmask 255.255.255.255
static (Inside,Outside) 10.16.100.26 10.16.100.26 netmask 255.255.255.255
static (Inside,Outside) X.X.X.X.201 192.168.100.123 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_out in interface Inside
route Outside 0.0.0.0 0.0.0.0 X.X.X.X.1 1
route Inside 10.16.0.0 255.255.0.0 192.168.100.1 1
route Inside 192.168.31.0 255.255.255.0 192.168.100.1 1
route Inside 192.168.32.0 255.255.255.0 192.168.100.1 1
route Inside 192.168.35.0 255.255.255.0 192.168.100.1 1
route Inside 192.168.36.0 255.255.255.0 192.168.100.1 1
route Inside 192.168.37.0 255.255.255.0 192.168.100.1 1
route Inside 192.168.38.0 255.255.255.0 192.168.100.1 1
route Inside 192.168.40.0 255.255.255.0 192.168.100.1 1
route Inside 192.168.41.0 255.255.255.0 192.168.100.1 1
route Inside 192.168.42.0 255.255.255.0 192.168.100.1 1
route Inside 192.168.200.0 255.255.255.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 3:00:00 absolute uauth 0:30:00 inactivity
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACS protocol radius
aaa-server ACS host 192.168.100.138
key acme12345
radius-common-pw acme12345
aaa-server ACSTACACS protocol tacacs+
aaa-server ACSTACACS host 192.168.100.138
key cisco
aaa-server RADIUS protocol radius
reactivation-mode depletion deadtime 15
aaa-server RADIUS host 192.168.100.6
timeout 15
key 3tech2
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Outside
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 Inside
http 192.168.100.0 255.255.255.0 Inside
http 10.16.0.0 255.255.0.0 Inside
http 192.168.200.0 255.255.255.0 Inside
snmp-server host Outside 10.94.1.10 community acmenet udp-port 161
snmp-server location Acmenet
snmp-server contact Helen B
snmp-server community acmenet
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet 0.0.0.0 0.0.0.0 Inside
telnet 192.168.100.130 255.255.255.255 Inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
console timeout 0
vpn load-balancing
interface lbpublic Inside
interface lbprivate Inside
threat-detection basic-threat
threat-detection statistics
!
class-map OPP-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class OPP-class
set connection random-sequence-number disable
set connection advanced-options OPP-map
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy ODPD internal
group-policy ODPD attributes
vpn-tunnel-protocol IPSec
group-policy RSCIntegra internal
group-policy RSCIntegra attributes
dns-server value 192.168.100.6 192.168.100.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acme_splitTunnelAcl
default-domain value acme.int
nac-settings none
address-pools value VPN_Users
group-policy Follett internal
group-policy Follett attributes
dns-server value 192.168.100.6 192.168.100.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acme_splitTunnelAcl
default-domain value acme.int
nac-settings none
address-pools value VPN_Users
group-policy BayShore internal
group-policy BayShore attributes
dns-server value 192.168.100.6 192.168.100.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acme_splitTunnelAcl
default-domain value acme.int
nac-settings none
address-pools value VPN_Users
group-policy SWN internal
group-policy SWN attributes
dns-server value 192.168.100.6 192.168.100.3
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acme_splitTunnelAcl
default-domain value acme.int
nac-settings none
address-pools value VPN_Users
username dturner password OmVlu6frR/NxYsZs encrypted privilege 15
username dturner attributes
vpn-group-policy SWN
username niccisco password OB3G7r0gvwdHBR/. encrypted privilege 0
username niccisco attributes
vpn-group-policy ODPD
username acme password soM1flywE1.uIwqu encrypted privilege 15
username cisco password ffIRPGpDSOJh9YLq encrypted
username vlsadmin password /foy9lnUCfk/SlEL encrypted privilege 15
tunnel-group ODPD type remote-access
tunnel-group ODPD general-attributes
address-pool VPN_Users
default-group-policy ODPD
tunnel-group ODPD ipsec-attributes
pre-shared-key *
tunnel-group SWN type remote-access
tunnel-group SWN general-attributes
address-pool VPN_Users
default-group-policy SWN
tunnel-group SWN ipsec-attributes
pre-shared-key *
tunnel-group Jiollett type remote-access
tunnel-group Jiollettgeneral-attributes
address-pool VPN_Users
authentication-server-group RADIUS
default-group-policy Jiollett
authorization-required
tunnel-group Jiollett ipsec-attributes
pre-shared-key *
tunnel-group RSCIntegra type remote-access
tunnel-group RSCIntegra general-attributes
address-pool VPN_Users
authentication-server-group RADIUS
default-group-policy RSCIntegra
authorization-required
tunnel-group RSCIntegra ipsec-attributes
pre-shared-key *
tunnel-group BayShore type remote-access
tunnel-group BayShore general-attributes
address-pool VPN_Users
authentication-server-group RADIUS
default-group-policy BayShore
tunnel-group BayShore ipsec-attributes
pre-shared-key *
smtp-server 192.168.100.136
prompt hostname context
Cryptochecksum:829eb36496b5282683442e96bbb61360
: end
03-22-2011 12:07 AM
I can't see any static translation is configured for 10.94.1.109 nor any static route to point towards the 10.94.1.0 network.
Further to that, the following access-list is also incorrect:
access-list Outside_access_in extended permit tcp host InterWeb any eq 3001
access-list Outside_access_in extended permit ip host InterWeb any
If the connection is from the Internet (outside) towards inside, then it should be configured as follows:
access-list Outside_access_in extended permit tcp any host
03-22-2011 12:56 AM
Jennifer,
Thank you for your response. I agree with you on the acl statements and neglected to remove those after testing. I've removed the acl in question however I want to reiterate we are getting to all resouces on the 10.94.x.x networks just fine with the exception of that one webserver and port. Wouldn't I see "deny" in the syslog rather than "reset-i" if I was trully not able to get to that resource. Also, from a host behind our ASA I can run telnet 10.94.1.109 3001 and connect fine. Please make specific suggestions related to my config if you think otherwise.
Thanks again!
Dee
03-22-2011 01:32 AM
I totally can not see a reason how you can get connected to 10.94.1.109 from the Internet as I don't see that configuration at all
in your ASA unless the ip address is something else?
When you tested it from the inside, of course it will work because you do not need to configure any NATing.
When you tested it from the outside/internet, you will need to NAT it to a public IP address and open the necessary port before access works.
Please point me to the exact configuration on the ASA that says all the other ports works just fine from the outside for 10.94.x.x network because i fail to see how it is even possible. Unless you have another ASA that is supposed to be passing this traffic.
03-22-2011 07:37 AM
We are directly connected over "WAN" (router to router) to the facility over OPTMAN. All network resources are reachable end to end using private IPs. Ours - 10.16.x.x, there's 10.94.x.x. So just to reiterate if we launch the application i.e. http://webapplication.acme (resolves to 10.94.1.109) we are able to access this no problem. It is when a module (sub-application) is clicked that uses port 3001 that generates the connection or Reset-I issue. What could be causing this is my question. In my experience if I was not able to access the resource I would see a "Deny" in the Syslog. The fact that I'm able to connect to the FQDN/IP web application and telnet to that port seems like opposite evidence of a NAT issue, wouldn't you agree?
Dee
03-22-2011 08:25 PM
Sorry, without actually understanding your topology, it is difficult to say where the problem is, and there are a number of contradicting statement provided.
You will know your topology by hard, however, you mention OPTMAN, etc that we have no knowledge about.
So if you can please advise the following that would help us to better understand your network and how the connection works:
1) What is the source and destination IP Address
2) You mention access to public IP, but so far only 10.94.x.x is mentioned, so what is the actual public IP, and are you actually connecting to it via its public or private IP?
3) Which ASA interface is connected to the source, and which ASA interface is connected to the destination?
4) Which ASA interface is connected to WAN, and which ASA interface is connected to OPTMAN?
Once we have the above information, it should be clearer on how the connection actually goes.
Despite that, if you already have connectivity between the 2 source and destination IP, I wouldn't think it has anything to do with NAT unless for access to port 3001, it is actually restricted to listen only on a specific IP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: