cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1401
Views
0
Helpful
15
Replies

outside host blocked

jimmylehto
Level 1
Level 1

I have a host on the outside i want to access

the problem is ASA 5505 has somehow blocked traffic to this host

i can find nothing in the shun list and there is no ACL rule  stating that this specific host is blocked.

Where else can i check to see if it's blacklisted.

My home computer that is not behind any firewall easily access this host.

The host is also blocked from accessing the webpage behind my ASA

Also this website my home computer can access without any problems.

15 Replies 15

mkdccie
Level 1
Level 1

Hi,

If you generate the traffic from inside to outside, you dont need ACL, and the ASA will know the returne traffic and allow that.

So you have something else that block it, can you ping that host from the firewall itself?

can you give more info about the network so we can help you?

Regards,

MKD

i have 1 webserver behind the ASA and alot of client computers.

i have 2 ubuntu computers outside directly to the internet they both run ftp servers.

I have my home computer that is not behind ASA

The clients on the inside wants to access both ubuntu ftp servers

Ubuntu 1 works great no problems whatsoever traceroute,ping,ftp,http.

Ubuntu 2 gets timeout on ftp client and no response to ping, traceroute, http.

On my home computer i can access both ubuntu servers perfectly fine.

When i logon to the ubuntu computers and start firefox to try and access the webserver behind the ASA

Ubuntu 1 works fine and no problems at all.

Ubuntu 2 gets  server not responding.

here is my show access-list

http://dev.inetpro.org/pastebin/1644

Really no one who has any ideas on what it could be?

i've tried disabling basic threat detection but i see no difference.

Pls kindly share the ASA configuration, as well as the IP Address of client on the inside that you are trying to access those 2 Ubuntu server, and also the IP Address of both servers.

Are you trying to access the server by IP Address or by FQDN?

running configuration at

http://dev.inetpro.org/pastebin/1647

trying to access server by ip and dns name

inside client ip is 192.168.1.34

banned host has 87.253.75.44

the ASA outside ip is 87.253.75.42

non blocked host has ip 87.253.75.43

Also tried accessing the http that is behind the ASA and that only works from 87.253.75.43 and the 87.253.75.44 gets ACL denied

3Nov 12 201216:14:4671000387.253.75.443516887.253.75.4280TCP access denied by ACL from 87.253.75.44/35168 to inside:87.253.75.42/80

Your class map has been incorrectly configured.

You are matching any traffic and inspect it against PPTP and FTP which is incorrect.

You should only match it against the default protocol and ports.

To make it easy, just use the default inspection policy as follows:

class-map inspection_default

  match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect ftp

  inspect pptp

  inspect icmp

no service-policy global-policy-vpn global

service-policy global_policy global

Ok did what you suggested but i still have the same problem

new running config

http://dev.inetpro.org/pastebin/1648

Did you "clear xlate" after making the changes and try again?

Also, if you run packet tracer, where is it failing?

cleared xlate

Bsldurssonfw# clear xlate

INFO: 528 xlates deleted

Still no go

Packet tracer is sucessful

But still cannot access the host in question.

did a packet trace from inside 192.168.1.34 TCP 80

to 87.253.75.44 TCP 80

and it was "allowed"

If packet tracer is successful, then it is not issue on the ASA.

I would check the host itself.

Does it have dual NIC, or just the one NIC? is packet actually getting to it? and is it replying?

Are you able to ping the host from the ASA itself? Does the ASA have the correct ARP for that host?

the ASA is blocking it somehow.

i have remote control over the blocked host and if i open up a browser on it and surf to the ASA ip and i'm logging the connect attempt  ASA logging is giving me this

3Nov 13 201213:32:0171000387.253.75.443529387.253.75.4280TCP access denied by ACL from 87.253.75.44/35293 to inside:87.253.75.42/80

on a computer not behind the ASA there is no problems getting to 87.253.75.44

but no clients behind the ASA can access it.

not sure what you mean by correct ARP host.

OK, try this:

object network rdpgate-http
 no nat (any,outside) static interface service tcp www www 
 nat (inside,outside) static interface service tcp www www 

Then "clear xlate"

Then try to browse again from the blocked host to the ASA IP.

Done this also and no go.

it is only this ip 87.253.75.44 that is blocked in the ASA

another host 87.253.75.43 can access the www page behind the ASA without any problems.

If packet tracer is successful from and to 87.253.75.44, then it is unlikely it is an issue with the ASA.

If you change the ip address of the host to a different address, does it work? what is the default gateway of that host?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: