Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2185
Views
0
Helpful
4
Replies

Error Reset-O Reset-I

MarcoM
Level 1
Level 1

‎12-20-2013 01:43 PM - edited ‎03-11-2019 08:21 PM

Hi all,

i have a strange error on my ASA5515-X and I can not understand what can be.

I natted server-mail with services https:

object network Owa_10.0.1.4

host 10.0.1.4

object network Owa_10.0.1.4

    nat (INSIDE,OUTSIDE) static interface service tcp https https

access-list INSIDE_access_in extended permit ip any any

access-list OUTSIDE_access_in extended permit ip any any

access-group INSIDE_access_in in interface INSIDE

access-group OUTSIDE_access_in in interface OUTSIDE

interface GigabitEthernet0/0

nameif INSIDE

security-level 100

ip address 10.0.1.254 255.255.0.0

!

interface GigabitEthernet0/1

nameif OUTSIDE

security-level 0

ip address 217.5x.xxx.xxx 255.255.255.240

!

If i send a mail from inside to outside mail reaches the receiver, if mail is sent from outside (such as from @Gmail.com to internal mailbox) mail does not arrive. Attached there are logs with TCP Reset-O.

what could be the issue? I have something wrong in the configuration?

Thanks in advance.

M

Labels:
Preview file
608 KB
0 Helpful
4 Replies 4

johflore
Level 1
Level 1

‎12-20-2013 03:01 PM

Hello Marco,

Your configuration looks all right, I would say "permit ip any any"

is okay on this case for troubleshooting purposes but do not remember later change rules on outside and only  allow services you  need to. Besides your configuration is fine. Also in log provided connection looks okay from firewall perspective.

Here is meaning of Reset-O and Reset-I according title on this post:

- TCP Reset-I - The client tear down the connection (typical in an SMTP or IMAP exchange -I = inside interface).

- TCP Reset-O - The server was not listening on that protocol at that time (usually seen as coming from SMTP servers -O = Outside interface).

I would suggest you to check if server is listening on ports required (netstat works on this), run some captures on your server maybe using wireshark in order to confirm if server is resetting connection and check out for incoming traffic.

Run  some captures on the firewall in order to confirm the reset is comming from Outside.

capture inside interface inside match tcp any host 10.0.1.4 eq 443

capture outside interface outside match tcp  any host 217.5x.xxx.xxx  eq 443

capture asp type asp all  >>> in order to check packets firewall has dropped.

show capture asp | inc 10.0.1.4

show capture asp  | inc 217.5x.xxx.xxx.443

show capture inside >>>> check for tcp reset flag (R)

Captures:

https://supportforums.cisco.com/docs/DOC-17345

Jhn


0 Helpful

MarcoM
Level 1
Level 1
In response to johflore

‎12-21-2013 01:33 PM

Hi Jhn,

thanks a lot for reply.

Sure my acl any\any is only for this stage of troubleshhoting :-)

Later i will check on server mail with "netstat" commant for listening ports.

I take this opportunity to ask you: if i nat service https server mail on same ip address of outside interface of firewall, and if i setup a vpn anyconnect it may not work right? (overlaps https anyconnect\server mail)

Paste configuration of Anyconnect Vpn:

interface GigabitEthernet0/1

nameif OUTSIDE

security-level 0

ip address 217.56.23.190 255.255.255.240

crypto ikev2 enable OUTSIDE

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

webvpn

enable OUTSIDE

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1

anyconnect profiles VpnAnyConnect_client_profile disk0:/VpnAnyConnect_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_VpnAnyConnect internal

group-policy GroupPolicy_VpnAnyConnect attributes

wins-server none

dns-server value 10.0.1.2 10.0.1.9

vpn-tunnel-protocol ikev2

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Reti_Interne

default-domain value bdossf.local

webvpn

  anyconnect profiles value VpnAnyConnect_client_profile type user

tunnel-group VpnAnyConnect type remote-access

tunnel-group VpnAnyConnect general-attributes

address-pool PoolVpnAnyConnect

authentication-server-group RADIUS

default-group-policy GroupPolicy_VpnAnyConnect

tunnel-group VpnAnyConnect webvpn-attributes

group-alias VpnAnyConnect enable

!

I should change port of AnyConnect? or do anything else?

Thanks.

M

0 Helpful

MarcoM
Level 1
Level 1
In response to MarcoM

‎12-21-2013 11:51 PM

Hi Jhn,

i attached output of command "netstat" of server mail.

Let me know if you can.

Thanks.

M

15372904-netstat_server_mail.txt.zip
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to MarcoM

‎12-23-2013 11:10 AM

Hello,

Yes, the Anyconnect will use port 443 (this is used as it will be open on almost any location) but if you want to forward traffc to a internal webserver while having this configuration then you are in troubles.

Proposed Configuration

config te

webbpn

no enable outside

port 442

enable outside

exit

write mem

Looking for some Networking assistance?? Contact me at  jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card