cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
258
Views
0
Helpful
1
Replies

Session resets on webserver connected to ASA 5515-X

michaelgbenga
Level 1
Level 1

Hi All,
I have a firewall (Cisco ASA 5520) running; acting as Internet edge with interfaces going to DMZ, Internet and LAN. I have been able to copy/translate the config from the 5520 to 5515-X; LAN users can get to the internet, but sessions going from the LAN browser to the DMZ webserver gets reset, also access to the webserver isn't possible from the internet. Here is a capture of the activity done on the 5515-X box. 

Does anyone have an idea why the reset is coming from the webserver? Because it appears that the 5515-X is passing traffic normally. 

DMZ webserver public IP address: 197.253.4.13.80

The attached capture is a session from firewall showing sessions of my attempts trying to reach the webserver from the internet. Strangely, LAN users cannot reach the webserver from their web browser.

 

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

Has this capture been taken from the external interface of the ASA or from the internal? (I am not sure if the server has the public IP address directly configured or if NAT is performed on the ASA)

 

Also, if its possible you could share the actual capture as a file. If you want to copy the capture from the  ASA to some host you could use this command on the CLI

 

copy /pcap capture:<capture name> tftp://<host ip>/<filename>.pcap

 

This way the capture could be opened with Wireshark for example for easier reading.

 

On a quick glance it would seem that the server resets the TCP connection though in the start we can see that the TCP handshake goes through all the way.

 

The situation with the LAN users depends on few things. As I already mentioned I am not sure if the server is directly configured with the public IP address or if only NAT is performed on the ASA towards the external network?

 

If I were to presume that the server has a local/private IP address then the question would be what IP address are the users using to attempt the connection? Or are they perhaps using a DNS name? If they are using a DNS name what is the IP address they are getting in the DNS reply? If its the local IP address then it should be enough that you allow traffic from LAN to the DMZ. If the returned IP address is the public NAT IP address then you would either have to configure the public NAT from DMZ towards LAN or perhaps do some DNS related modifications if you have a local DNS server (so it points the name to the local IP address)

 

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: