cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5733
Views
0
Helpful
5
Replies

Access Rule to Allow WebEx

eliminat0r85
Level 1
Level 1

Ok guys I can't seem to figure this one out, probably easy but I'm more of a server guy and just delving into the world of networking now.

I've added quite a few access rules already for webex however the inbound connections keep getting rejected.

Anyways brief description.

I have 3 interfaces. AT&T, Comcast and Inside. AT&T is simply a backup in case Comcast ever crashes. All traffic from inside going outside is set up for Dynamic PAT (Hide).

I am trying to allow web ex to get through the firewall as the traffic is currently being blocked. I have taken the networks and subnets given to me added each one as a network object then created a network object group with them.

I need to allow inbound tcp/http, tcp/https, tcp-udp/domain, tcp-udp/1270, tcp-udp/5101, tcp/8554, udp/7500, udp/7501, udp/9000, up/9001.

I have made quite a few access rules allowing those services through on multiple interfaces. I have tried it on inside, i have tried it on the comcast interface. However traffic is still not able to get through the firewall.

Here is one of the Log entries that comes through when I try to start a web ex meeting.

2Aug 01 201321:45:03106001209.197.223.18443my ip address63650

Inbound TCP connection denied from 209.197.223.18/443 to my ip address/63650 flags FIN ACK  on interface Comcast

Attached is a packet trace of me sending a http tcp packet to web ex and me trying to receive a packet.

I feel like I am just missing something incredibly stupid here like when I had the IPSec VPN issue. Oh well such is life.

Thanks in advanced for any help you can provide on how to properly configure this thing so it has access.

5 Replies 5

eliminat0r85
Level 1
Level 1

Anyone have an idea on this one. I havent been able to mess with it much. I basically just took the AT&T connection and ran a line from that to an AP and setup a wireless network off the AT&T line that doesnt hit the firewall for them to use Web Ex. This is not an ideal situation.

Will mess around with it more tonight.

Hi,

I would have to say that since you are using Dynamic PAT for all outbound connections that there is no point in either allowing traffic from the WAN or even simulating that traffic from the WAN.

Mostly because the ASA firewall keeps track of the connections formed through it and will automatically allow return traffic from the remote server back to the host that formed/opened the connection. So when a connection is formed through the ASA from LAN to WAN then the return traffic for that connection will flow freely from WAN to LAN.

Also when we consider that your performing a Dynamic PAT for all of your LAN users when they initiate outbound connections to WAN it means that you cant really allow any traffic from WAN to LAN as none of your LAN hosts actually have their own public IP Address. Rather they share the public IP address of the ASAs "outside" interface most likely.

I have not used WebEx that often but the times I have used it, I have not had to change any of my configuration on my home ASA5505.

Ciscos explanation to the above Syslog message is the following

106001

Error Message    %ASA-2-106001: Inbound TCP connection denied from IP_address/port to 
IP_address/port flags tcp_flags on interface interface_name

Explanation    An attempt was made to connect to an inside address is denied by the security policy  that is defined for the specified traffic type. The IP address displayed is the real IP address instead  of the IP address that appears through NAT. Possible tcp_flags values correspond to the flags in the  TCP header that were present when the connection was denied. For example, a TCP packet arrived  for which no connection state exists in the ASA, and it was dropped. The tcp_flags in this packet  are FIN and ACK.

The tcp_flags are as follows:

ACK—The acknowledgment number was received

FIN—Data was sent

PSH—The receiver passed data to the application

RST—The connection was reset

SYN—Sequence numbers were synchronized to start a connection

URG—The urgent pointer was declared valid

Recommended Action    None required.

- Jouni

Yea i don't get why the traffic is being blocked but it's def. that as if we use a mobile hot spot or the alternative connection I have setup then the meeting starts fine. If we use the existing network it just tries to connect over and over again.

Any reccommended actions for this?

Might just have to roll with the work around I have set up until I can sit down and really look at the firewall configuration and setting it up properly when this porject is over.

Hi,

I am not really sure.

Naturally I would personally first look at the configuration through and bang my head to the wall and/or table for a few minutes

So if you can share some version of the current firewall configuration then we can look through it if there is anything there that might explain this.

I would presume though that everything else works through this firewall so I am not sure why this wouldnt work.

- Jouni

Everything works fine except Ebay when users try to go to Ebay the page never loads - can't ping ebay. Consdiering the fact that no one has a business reason to be on Ebay i'm completely fine with it not going through.

Not much to look at on the side on configuration.

Like I said 3 interfactes. 2 Outside (AT&T, Comcast) 1 Inside. The firewall is also acting as a router so the Inside interface is the default gateway on all of the machines.

Network traffic to the internet is PAT'd behind 1 of the static IP addresses we were given by Comcast. AT&T is the sameway if Comcast ever fails.

Everything else is pretty much default. There are no access rules except the access rules that were created by default. Any to any less secure network. It has been working fine, we have access to all of the things we need access to. After this project gets off the ground and it doesn't require 100% of my attention to get it started. I def need to get in there and do sub interfaces on the outside interface so i can NAT traffic from the the static IP's we were given to a server for VPN etc..

Review Cisco Networking for a $25 gift card