[@sean-haynes],

Thank you for your post. I've had a pick through your ASA configuration - it looks fine. www and https traffic will be permitted, so no issues with regards to access control.

My concern is that the web server has no route to the 172.20.248.0 255.255.248.0 network. I see in the diagram you have a few routers beneath your firewall, do these have the correct static routes added in to reach the 172.20.248.0 255.255.248.0 network? What is your web server using as its default gateway?

I look forward to hearing back.

Kind regards,

Luke

Please rate helpful posts and mark correct answers. 

Afternoon Luke, thanks for taking the time, appreciated.......

Sorry it was a rush diagram - on the wireless side there are 2 WLCs, physical connectivity runs though 3750 switches which terminate on 2 layer 3 4900s in failover at the core on which I run HSRP. So for the wireless VLAN, as with all VLANS there is 2 physical DG addresses and a virtual. On the core switches are default static routes which is working of there would be not internet traffic.

The web server is on the same subnet as the DCs so is using the same DG address, which again works from the apple network, the inside interface and form the internet.

would I need to stick a static route on the firewall itself? I can see the packets going from the wireless devices to the web server but no responses.

Many thanks

[@sean-haynes],

Apologies for the late response. If you can actually see the traffic hitting the web server (please confirm this) from the wireless side then it has a route there, but it sounds like the web server does not have a route back or the ASA is blocking the traffic.

What security levels do the inside and wireless interfaces have?

Kind regards,

Luke

Please rate helpful posts and mark correct answers.

Morning Luke - to confirm I can see packets going to the ASA, via the ASA monitoring I can see the connection being built, then denied due to a lack of response from the web server. then a series of resends from the client.

On the Firewall interface itself I can see the incremental increase of packets passing through the firewall as clients attempt to connect to the web server.

The inbuilt packet trace reports no 'denys' for packets going to or coming from the web server to the wireless interface.

The inside interface is 90 while both the apple and wireless networks are 40. Again to reiterate the apple network has no issues accessing the web server.

In my mind it must be a routing issue - no changes have been made on the web server and I yesterday confirmed with their infrastructure techs that there are no IP routes or firewalls in place that would prevent access to the wireless network.

Given that the apple network can connect to the web server and that the web server can be accessed from anywhere apart from the wireless network then I can't see it being a routing issue on the web server. It knows the DG address etc.

The only static routes I have on the firewall are literally pointing to the outside interface and back in again.

There are no static routes for the apple network and that works.......

[@sean-haynes],

Thanks for the response. What is the default gateway of the web server, the IP address of the inside interface on the ASA?

Please would you be able to share a sanitised configuration with all the private IP addresses included? There is no need to remove them and it is making it difficult for me to grasp how your networks hang together.

Look forward to hearing back.

Kind regards,

Luke

Please rate helpful posts and mark correct answers. 

Morning Luke

it's got to be a firewall issue - I was off last week, so haven't had a chance to look too deep into it but this morning I've had a chance to play around a bit.

The VLE server is on the same VLAN as the other servers so I hooked up another server with Wireshark  - this particular server does host a web service internally that is just http :80.

I set up a rule on the ASA to allow http :80 packets from any wireless device through the Wireless interface to the inside interface where the server is sited.

Using Wireshark to monitor from the server side I firstly ensured I could still ping the server ( which has never been an issue ) ref manpacket.jpg

However  when I send a http request a sequence of events happens:

From the wireless client a SYN is sent to the Management server, the server responds with an acknowledgement  SYN, ACK  which the wireless client does not seem to receive as  inexplicably  the wireless client resets the flag and tries to restart communication. This cause a communication error - A new TCP session is started with the same ports as an earlier session in this trace ,see 'manpacket1.jpg.

At this point in time I can not be sure where the reset is occurring - on the client itself or at one of the interfaces.

so the question is are the SYN ACKs being blocked or are they just simply being routed wrongly?  In my mind the late seems unlikely if ICMP packets are able to respond - that would indicate that the ASA 'knows' they way back to the wireless interface....which leaves SYN ACKS being blocked.

CORRECT ANSWER

....got it.....

saw this post - http://networkengineering.stackexchange.com/questions/20104/tcp-handshake-fails-on-cisco-asa

Set up a TCP state bypass for traffic to the VLE and back - now it works!!!

[@sean-haynes],

Man, the threat detection engine would have been the last area to turn to as well - great find.

Was it the randomisation of the ISN you disabled? I'd be interested to see exactly what configuration was added to get this working.

BR,

Luke

Please rate helpful posts and mark correct answers.

Morning Luke - I left randomisation on. but configured TCP state bypass for traffic from the VLE. ~ specific IPs

I still don't get why the traffic was being blocked on the way back to the wireless network when a connection had been established between the wireless client and the VLE - SYN, then SYN ACK. but the SYN ACK was being blocked by the firewall, configuring the state bypass for the specific wireless network address and VLE IP has lifted that block allowing traffic to pass.

I understand the whole point of a firewall is to stop unsolicited connections that haven't been established from within the interface but the ASA seemed to be blocking all traffic from the web server only but allowing all other traffic - so I will revisit. for now it's up and running and users are able to access their resources so right now I can chalk that up as a temporary win!! Thank you so much for the input though, much appreciated.

Afternoon - I had done this several times both form the domain network to the wireless and back again - no failures or blocks.

The VLE server is maintained by a 3rd party - I have contacted them but as far as they are aware they have no blocks in the way that would hinder communication.

thank you for the input.

Wireless Network should have route for inside n/w and inside n/w should have route for wirless n/w.

Also if wireless inerafce has same or low security level than inside interface then you should add below command.

same-security-traffic permit inter-interface

Hi;

If ASA Packet tracer is showing everything is working fine then it's not a firewall issue.

VLE Server is access by everywhere means Routing is also ok.

Wireless network can access internet means Firewall have the routes.

Now the only thing which is doubtful for me is VLE server have some internal firewall which is blocking wireless traffic or Wireless controller have policy which is blocking traffic to reach VLE server.

Thanks & Best regards;