ASA 5510 FireWall Problem

Highnet_TSC · ‎10-15-2013

Hi All

After some advise and direction

Our ASA firewall using ASA version 8.4 has recently started presenting us with a problem to one external website

called http://partners.highnet.com/login/ ip address 62.233.82.181.

Our firewall is letting everything on our inside Trusted site 192.168.254.0/24 out through our outside interface on x.x.x.x

to any website and brings back the details

However when we try to reach http://partners.highnet.com/login/ we recently started receiving (Internet Explorer cannot display the webpage)

on checking the ASA under Home TAB - Firewall Dashboard - and then under - Top 10 protected Servers under SYN attack we are receiving the below error.

Rank Server IP-Port Interface Average Current Total Source IP (Last Attack Time)

5

62.233.82.181:80

INSIDE

0

8

192.168.254.130 (1 mins ago)

I have tried rebooting the ASA firewall (Still did not resolve).

I have also disabled basic threat detection and threat detection statistics and then re-enabled after a period of time under > configuration > Firewall > threat detection (Still did not resolve).

Have created a number of access list both from the inside to outside and outside to inside allowing TCP just to the specific IP address 62.233.82.181 (Still did not resolve).

Tried editing Global Policy for Http configuration > connection settings TCP and UDP connections and also Embryonic connections (Still did not resolve).

Also tried using the shun command on the ASA to clear connection and statistics and (Still did not resolve).

So you see there is nothing else I can think of doing, so that is why I have asked you for some pointers maybe someone has come across this sort of issue before.

If you can help or advise it is much appreciated.

Jouni Forss · ‎10-15-2013

Hi,

Are you sending logs from your ASA to any Syslog server from which you could pull all the connection logs for that destination IP address?

On the ASA you can naturally use "packet-tracer" also to simulate one such packet coming from your LAN towards this WAN IP address (of the server) and confirm that all rules are correct.

packet-tracer input INSIDE tcp 192.168.254.130 12345 62.233.82.181 80

You could maybe also try to generate TCP SYNs directly from the ASA

ping tcp 62.233.82.181 80

And see if the server replies

- Jouni

Highnet_TSC · ‎10-15-2013

Hi

Thanks for your time

On using Packet tracer going from our inside to outside as you have mentioned shows clearly

that this is allowed to pass through the firewall.

Have also run pings to 62.232.82.181 from the ASA no replies this also happens from an external site so I beleive

pings are turned off at the destination ip address.

The stange thing is anybody from outside our internal network can get to this site is just seems to be our internal network set on the inside interface of the ASA.

REgards

Robert

Jouni Forss · ‎10-15-2013

Hi,

Did you have the "inspect http" enabled during this problem?

You can confirm this currently with

show run policy-map

I guess you could try removing it if its not needed

I would still also check the log messages while the connection attempt is going from a internal host. It should tell if the connections goes through and if the remote end replys to the connection.

I am behind an ASA and can get to that site just fine. At home I can test that site even from a device thats running the same software.

- Jouni

Highnet_TSC · ‎10-15-2013

Hi Jouni

Yep I have had the "inspect http" turned both on and off through the global policy still did not work.

Have also checked the ASA log and can see no entry going to the ip address mentioned either stopping or blocking

the packets going out the outside interface.

Regards

Robert

Jouni Forss · ‎10-15-2013

Hi,

Have you confirmed that the "logging" settings are at appropriate level to see the connection building and teardown messages? The default level for those is "informational"

You can see the current logging settings with the command

show run logging

I think you should be able to see something.

Naturally you could even go as far to capture traffic on the ASA to give definitive answer on if traffic is reaching ASA and if it is, what traffic is actually passed.

- Jouni

Highnet_TSC · ‎10-15-2013

Hi Jouni

The logging is set for debugging and I can see a lot of entries captured from a number of diffrent

source and destination ip addresses, however when I run internet explorer from my machine

I am expecting to see my IP address attempting to reach destination 62.232.82.181 but I can see nothing at all.

Thanks in advance

Regards

Robert

Jouni Forss · ‎10-15-2013

Hi,

Then I would probably attempt the connection from multiple hosts and check every L3 device routing table in between host and the ASA so that you can confirm that the traffic is not being routed somewhere else.

As I dont know your environment I am not sure if this is a possibility.

But if you can't see any connection on the ASA then either the host is not connecting to that host or the traffic is not forwarded all the way to the ASA.

Is there a chance of a DNS related problem?

Does ICMP to the destination IP address and/or DNS name arrive on the ASA?

- Jouni