Solved: ASA 5505 internal -> DMZ traffic problem (Deny TCP No connection)

jojjemannen · ‎09-23-2011

Hi everyone,

To start of I am a beginner at configuring ASA's and network in generall.

I have a ASA5505 Security Plus with Outside, DMZ and Internal interfaces.

The problem I am having is that I can't estabilsh connections from internal to DMZ, I have tried RDP/Web.

I am able to ping the server from the inside. When I try to connect to the server using RDP I get the following in the log:

6

Sep 23 2011

06:06:40

302013

192.168.10.10

3389

192.168.5.20

3906

Built outbound TCP connection 3034140 for DMZ:192.168.10.10/3389 (192.168.10.10/3389) to inside:192.168.5.20/3906 (192.168.5.20/3906)

6

Sep 23 2011

06:06:44

106015

192.168.10.10

3389

192.168.5.20

3906

Deny TCP (no connection) from 192.168.10.10/3389 to 192.168.5.20/3906 flags SYN ACK on interface inside

Any insights on what wrongs I have done with the configuration? If you see something I have missed or done wrong, don't be affraid to point it out!

/Joseph

: Saved
:
ASA Version 8.2(1) 
!
hostname ciscoasa
domain-name local.local
names
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 82.196.127.13 255.255.255.192 
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 192.168.5.1 255.255.255.0 
!
interface Vlan20
 nameif DMZ
 security-level 90
 ip address 192.168.10.254 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 10
!
interface Ethernet0/3
 switchport access vlan 20
!
interface Ethernet0/4
 switchport access vlan 10
!
interface Ethernet0/5
 switchport access vlan 10
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 10
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
 name-server 217.31.175.34
 name-server 217.31.160.30
 domain-name caretech.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.10.0 255.255.255.0
 network-object 192.168.5.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object 10.250.0.0 255.255.0.0
 network-object 192.168.220.0 255.255.255.0
 network-object 192.168.223.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
 service-object icmp 
 service-object icmp echo
 service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_3
 network-object 192.168.220.0 255.255.255.0
 network-object 192.168.223.0 255.255.255.0
object-group service LAB1-Service_Group
 service-object tcp eq ftp 
 service-object tcp eq www 
 service-object tcp eq https 
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.220.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.223.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.250.0.0 255.255.0.0 
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 
access-list outside_access_in extended permit tcp any host 82.196.127.13 eq www 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any 
access-list natexempt extended permit ip 192.168.5.0 255.255.255.0 192.168.223.0 255.255.255.0 
access-list natexempt extended permit ip 192.168.5.0 255.255.255.0 192.168.220.0 255.255.255.0 
access-list natexempt extended permit ip 192.168.5.0 255.255.255.0 192.168.10.0 255.255.255.0 
access-list DMZ_nat0_outbound_1 extended permit ip 192.168.10.0 255.255.255.0 192.168.223.0 255.255.255.0 
access-list DMZ_nat0_outbound_1 extended permit ip 192.168.10.0 255.255.255.0 192.168.220.0 255.255.255.0 
access-list DMZ_nat0_outbound_1 extended permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any DMZ
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list natexempt
nat (inside) 1 192.168.5.0 255.255.255.0
nat (DMZ) 0 access-list DMZ_nat0_outbound_1
nat (DMZ) 1 192.168.10.0 255.255.255.0
static (inside,outside) tcp interface 3333 192.168.5.130 3333 netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.5.30 https netmask 255.255.255.255 
static (inside,outside) tcp interface ftp 192.168.5.30 ftp netmask 255.255.255.255 
static (inside,outside) tcp interface www 192.168.5.30 www netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 82.196.127.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 444
http 192.168.5.0 255.255.255.0 inside
http 93.92.0.254 255.255.255.255 outside
http 194.16.221.226 255.255.255.255 outside
http 192.168.223.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
no service resetoutbound interface outside
no service resetoutbound interface DMZ
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 194.16.221.226 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 15
 authentication pre-share
 encryption aes-192
 hash sha
 group 1
 lifetime 86400
telnet timeout 5
ssh 93.92.0.254 255.255.255.255 outside
ssh 192.168.223.0 255.255.255.0 outside
ssh 192.168.5.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

no threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.250.0.0 255.255.0.0
threat-detection scanning-threat shun except ip-address 192.168.10.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.220.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.223.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.5.0 255.255.255.0
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group "Test" type remote-access
tunnel-group "Test" webvpn-attributes
 nbns-server 192.168.223.10 master timeout 2 retry 2
tunnel-group 194.16.221.226 type ipsec-l2l
tunnel-group 194.16.221.226 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:d66209ee0182e48dc8bb8d4ee3b1da1a
: end
no asdm history enable

Julio Carvajal · ‎01-13-2012

Hello Joseph,

If the question is already solved please mark it as answered,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎09-23-2011

f you can ping the server on the DMZ from the Inside host, that means that the ASA is allowing the traffic between those two interfaces.

Now in order to troubleshoot this lets do a capture:

access-list capin permit tcp host 192.168.5.20 host 192.168.10.10 eq 3389

access-list capin permit tcp host 192.168.10.10 eq 3389 host 192.168.5.20

capture capin access-list capin interface inside

capture capdmz access-list capdmz interface dmz

Then download the captures into a pcap file from a internet browswer.

https://192.168.5.1/capture/capin/pcap

https://192.168.5.1/capture/capdmz/pcap

And finally attach the captures to this discussion.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jojjemannen · ‎09-25-2011

Thank you for the quick response.

Here is the both files.

chris · ‎01-12-2012

Did you ever get a solution to this? I'm having the same problem except that the denials are intermittent, coming and going at random. The traffic will be allowed one minute, then denied, then allowed again, with no apparent pattern. My syslog shows the exact same deny message as yours.

Chris

Message was edited by: Chris Barber

Julio Carvajal · ‎01-12-2012

Hello Chris,

Same thing as the response to Joseph, The ASA will allow or deny some specific traffic,it will not do something intermittent, that is not the behavior of the ASA.

So I would check the switch if there is one involved or any other device to confirm this is not a routing issue.

Other thing you can do is to configure TCP-State by pass. That should do it as well!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎01-12-2012

Hello Joseph,

Is there a switch being used for both interfaces, on the capture we can see that on the dmz interface there are just the Syn packets comming from the inside host, but on inside capture we can see the SYN and SYN-ACK.

The problem is the DMZ is not receiving the Syn-ACK!!

Please check the switch, the ASA should receive the SYN-ACK from the DMZ host on the DMZ interface not just on the inside interface.

You can configure TCP state-bypass to solve this problem as well!

Let me know if you find something on the switch!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jojjemannen · ‎01-13-2012

I have become the person I hate the most on the internet, one that post a question and don't update the quesiton with a solution!

After spending a few hours with the superb support at Cisco it turned out to be faulty/missconfigured network equipment in my case. I had to verify all settings on all switches/routers before I got this problem solved.

I do no remember the exact resolution in my case due to bad memory on my behaf!

I'm hoping that this will help you Chris

chris · ‎01-13-2012

No worries, Joseph!

It's starting to sound like mine is a different cause, if your solution was equipment related. In my case I have nothing but the 5505 between a certain virtual machine and the internet. My traffic-deny issue appears when a host on the internet tries to hit the outside interface of the 5505 to reach the web server on the VM on the DMZ interface. The VM that is sitting on this interface is directly connected to the 5505.

Admittedly the VM has to go through its virtualization layer to get to the physical nic and I will need to check that carefully as well as the cabling from the VM host to the 5505.

Once I do that I will start a new thread for my problem and reference it here.

Still, the problem is very strange. The very same host (e.g. me sitting at my laptop on a completely seperate internet connection) will be randomly permitted or denied at various times throughout the day and night. Same for other hosts coming at it from other internet connections. These are internet connections that I know to be rock solid.

Here's an example of a succeeded connection, which I just took off the syslog. This morning it is working from one particular host (my laptop):

6 Jan 13 2012 08:10:05 166.248.2.112 4116 HelpDesk 443 Built inbound TCP connection 116046 for outside:166.248.2.112/4116 (166.248.2.112/4116) to dmz:HelpDesk/443 (fios_static_ip/443)

6 Jan 13 2012 08:10:05 166.248.2.112 4116 HelpDesk 443 Teardown TCP connection 116046 for outside:166.248.2.112/4116 to dmz:HelpDesk/443 duration 0:00:00 bytes 20789 TCP FINs

and here's from another host's attempt that does not work at the same time:

6 Jan 13 2012 08:17:57 216.47.227.170 4103 HelpDesk 443 Built inbound TCP connection 116093 for outside:216.47.227.170/4103 (216.47.227.170/4103) to dmz:HelpDesk/443 (fios_static_ip/443)

6 Jan 13 2012 08:17:57 216.47.227.170 4103 HelpDesk 443 Teardown TCP connection 116093 for outside:216.47.227.170/4103 to dmz:HelpDesk/443 duration 0:00:00 bytes 20736 TCP Reset-O

Interesting: now I'm getting a different type of failure. Yesterday I had a DENY like Joseph, this morning I have a RESET-O (what the heck is that?) on the teardown message...

and here's the same failing host getting in on port 80 instead of 443 at the same time:

6 Jan 13 2012 08:23:34 216.47.227.170 4111 HelpDesk 80 Built inbound TCP connection 116106 for outside:216.47.227.170/4111 (216.47.227.170/4111) to dmz:HelpDesk/80 (fios_static_ip/80)

6 Jan 13 2012 08:23:40 216.47.227.170 4111 HelpDesk 80 Teardown TCP connection 116106 for outside:216.47.227.170/4111 to dmz:HelpDesk/80 duration 0:00:06 bytes 950 TCP FINs

I'm certain that later today my laptop which was able to connect this morning will fail again, just like it was last night.

Chris

chris · ‎01-13-2012

Also, this is really starting to feel like the ASA doing traffic inspection and being too aggressive about it. The whole point is that these connections are outside to DMZ, from entirely unpredictable clients, to public-facing web servers. We have to let them through.

Julio, you mentioned TCP state bypass. Can you give me an example of how to configure that on the ASA for my outside-to-DMZ rules?

Thanks

Chris

Julio Carvajal · ‎01-13-2012

Hello Chris,

1- Reset-O means that the Reset packet that is closing the connection is comming from the outside

2-As you say this is a TCP connection and the ASA its inspecting it, so to avoid the deep packet inspection lets create a tcp state bypass policy.

Lets say the user on the outside its 4.2.2.2 and the outside interface is 1.1.1.1 ( going to host 192.168.11.2)

so it will look like this:

access-list test permit tcp host 4.2.2.2 host 192.168.11.2 eq 80

access-list test permit tcp host 4.2.2.2 host 1.1.1.1 eq 80

class-map tcp-statebypass

match access-list test

policy-map global_policy

class tcp-statebypass

set connections advanced-options tcp-state-bypass

Regards,

Rate the post that helps!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎01-13-2012

Hello Joseph,

If the question is already solved please mark it as answered,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

chris · ‎01-13-2012

Julio, thank you for the info on setting up the bypass. From your comments it really looks like its an inspection thing and I will reconfigure and retest. I won't have a change to do that until Saturday.

We have really got two distinct discussion threads in here. I will repost my question to a new thread tonight and Julio if you would just reply to that new thread with your same info I can then rate and mark as answered seperately from Joseph. I will also make a reference in this thread to my new thread to help out anyone who looks in here.

Chris

Julio Carvajal · ‎01-13-2012

Hello Chris,

Thank you very much for that.

I will be more than glad to help

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

chris · ‎01-14-2012

see new discussion question https://supportforums.cisco.com/thread/2125757 for continuation of my part of this discussion.

Julio, if you would reply to that post and copy your previous answer about RESET-O and how to set up the state bypass we can continue the discussion of my issue there and I can give feedback seperately.

Thanks again for your help!

Chris