08-01-2013 07:12 PM - edited 03-11-2019 07:20 PM
Ok guys I can't seem to figure this one out, probably easy but I'm more of a server guy and just delving into the world of networking now.
I've added quite a few access rules already for webex however the inbound connections keep getting rejected.
Anyways brief description.
I have 3 interfaces. AT&T, Comcast and Inside. AT&T is simply a backup in case Comcast ever crashes. All traffic from inside going outside is set up for Dynamic PAT (Hide).
I am trying to allow web ex to get through the firewall as the traffic is currently being blocked. I have taken the networks and subnets given to me added each one as a network object then created a network object group with them.
I need to allow inbound tcp/http, tcp/https, tcp-udp/domain, tcp-udp/1270, tcp-udp/5101, tcp/8554, udp/7500, udp/7501, udp/9000, up/9001.
I have made quite a few access rules allowing those services through on multiple interfaces. I have tried it on inside, i have tried it on the comcast interface. However traffic is still not able to get through the firewall.
Here is one of the Log entries that comes through when I try to start a web ex meeting.
2 | Aug 01 2013 | 21:45:03 | 106001 | 209.197.223.18 | 443 | my ip address | 63650 | Inbound TCP connection denied from 209.197.223.18/443 to my ip address/63650 flags FIN ACK on interface Comcast |
Attached is a packet trace of me sending a http tcp packet to web ex and me trying to receive a packet.
I feel like I am just missing something incredibly stupid here like when I had the IPSec VPN issue. Oh well such is life.
Thanks in advanced for any help you can provide on how to properly configure this thing so it has access.
08-05-2013 09:44 AM
Anyone have an idea on this one. I havent been able to mess with it much. I basically just took the AT&T connection and ran a line from that to an AP and setup a wireless network off the AT&T line that doesnt hit the firewall for them to use Web Ex. This is not an ideal situation.
Will mess around with it more tonight.
08-05-2013 10:24 AM
Hi,
I would have to say that since you are using Dynamic PAT for all outbound connections that there is no point in either allowing traffic from the WAN or even simulating that traffic from the WAN.
Mostly because the ASA firewall keeps track of the connections formed through it and will automatically allow return traffic from the remote server back to the host that formed/opened the connection. So when a connection is formed through the ASA from LAN to WAN then the return traffic for that connection will flow freely from WAN to LAN.
Also when we consider that your performing a Dynamic PAT for all of your LAN users when they initiate outbound connections to WAN it means that you cant really allow any traffic from WAN to LAN as none of your LAN hosts actually have their own public IP Address. Rather they share the public IP address of the ASAs "outside" interface most likely.
I have not used WebEx that often but the times I have used it, I have not had to change any of my configuration on my home ASA5505.
Ciscos explanation to the above Syslog message is the following
106001
Error Message %ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_nameExplanation An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic type. The IP address displayed is the real IP address instead of the IP address that appears through NAT. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the ASA, and it was dropped. The tcp_flags in this packet are FIN and ACK.
The tcp_flags are as follows:
•ACK—The acknowledgment number was received
•FIN—Data was sent
•PSH—The receiver passed data to the application
•RST—The connection was reset
•SYN—Sequence numbers were synchronized to start a connection
•URG—The urgent pointer was declared valid
Recommended Action None required.
- Jouni
08-05-2013 11:44 AM
Yea i don't get why the traffic is being blocked but it's def. that as if we use a mobile hot spot or the alternative connection I have setup then the meeting starts fine. If we use the existing network it just tries to connect over and over again.
Any reccommended actions for this?
Might just have to roll with the work around I have set up until I can sit down and really look at the firewall configuration and setting it up properly when this porject is over.
08-05-2013 11:49 AM
Hi,
I am not really sure.
Naturally I would personally first look at the configuration through and bang my head to the wall and/or table for a few minutes
So if you can share some version of the current firewall configuration then we can look through it if there is anything there that might explain this.
I would presume though that everything else works through this firewall so I am not sure why this wouldnt work.
- Jouni
08-05-2013 02:12 PM
Everything works fine except Ebay when users try to go to Ebay the page never loads - can't ping ebay. Consdiering the fact that no one has a business reason to be on Ebay i'm completely fine with it not going through.
Not much to look at on the side on configuration.
Like I said 3 interfactes. 2 Outside (AT&T, Comcast) 1 Inside. The firewall is also acting as a router so the Inside interface is the default gateway on all of the machines.
Network traffic to the internet is PAT'd behind 1 of the static IP addresses we were given by Comcast. AT&T is the sameway if Comcast ever fails.
Everything else is pretty much default. There are no access rules except the access rules that were created by default. Any to any less secure network. It has been working fine, we have access to all of the things we need access to. After this project gets off the ground and it doesn't require 100% of my attention to get it started. I def need to get in there and do sub interfaces on the outside interface so i can NAT traffic from the the static IP's we were given to a server for VPN etc..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide