Solved: asa 5505 configuration

macazarpros · ‎04-09-2015

hey guys

i have a server which accepts traffic on one port inside my network and clients outsides needs to access this server. the nat and accesslist works fine but there is a timeout issue and the connection fails ... note that without the asa client to server directly works fine.. and also note the traffic is encrypted (ssl).. is there any additional provisions i need to configure ? y is it timing out? packet captures show traffic from the outside reaching the inside interface but no response from the inside to the outside....

i have only one access list allowin traffic in from the outside to the server and one nat rule...

advice needed...

thanks

Pranay Prasoon · ‎04-10-2015

hi,

So from what I gather

"inside interface xxx.114 the default route of the server is xxx.1 which is an interface on another asa"

It means default route of the server is another ASA. This is not going to work unless you apply TCP statebypass.

ASA is a statefull firewall. It means for TCP IP, it always needs to see two way traffic. If SYN is going through one ASA it should see SYN/ACK back. Similarly if one ASA has not seen syn and sees syn/ack because of asymmetric routing, it is not going to wok.

Either change default route of server from same ASA or configure TCP statebypass(which is not recommended though).

Thanks

View solution in original post

Pranay Prasoon · ‎04-10-2015

Hi,

so you see SYN coming from outside to inside and server is not responding to SYN/ACK?

If this is the case,ASA will wait for 30 seconds and closes the connection if SYN/ACK is not received within this period. In ASA log you will see a syn timeout error message.

Check if server has default route configured. You will need to make sure with captures on server why it is not replying with syn/ack.

macazarpros · ‎04-10-2015

thanks pranay..

yes im not good with linux but i 'll look into some comands for debugs...the inside interface and the server is on the same subnet.. the server default route is the defaut route of the subnet.. server XXX.115

inside interface xxx.114 the default route of the server is xxx.1 which is an interface on another asa

Pranay Prasoon · ‎04-10-2015

hi,

So from what I gather

"inside interface xxx.114 the default route of the server is xxx.1 which is an interface on another asa"

It means default route of the server is another ASA. This is not going to work unless you apply TCP statebypass.

ASA is a statefull firewall. It means for TCP IP, it always needs to see two way traffic. If SYN is going through one ASA it should see SYN/ACK back. Similarly if one ASA has not seen syn and sees syn/ack because of asymmetric routing, it is not going to wok.

Either change default route of server from same ASA or configure TCP statebypass(which is not recommended though).

Thanks

macazarpros · ‎04-10-2015

thats some good info right there.. ok i will let you know how it goes on monday.. i dont have access to the test equipment right now to run a transaction.. to clarify.. the asa 5505 is connected to the internet with the config and its inside interface is xxx.114... the outside is nated to the server ip xxx.115.

the server default route is xxx.1 which in interface on a 5520 asa. just so u get it right i will keep you informed on monday

so the default route of the server should be XXX.114?

macazarpros · ‎04-13-2015

thansk man.. brilliant u were right...