10-23-2013 03:45 AM - edited 03-11-2019 07:55 PM
Hi All
Could anyone assist me help the above issuse, I had already created a discussion and was helped by
one of the community but could not resolve the issue.
I have attached a link in regards to carrying out troubleshooting with JouniForss but I could not resolve the fault
https://supportforums.cisco.com/thread/2245710 prevoiusly created discussion.
I have even rolled the asa config back to an earlier version which was allowing the partners site 62.233.82.181 on port 80 access and now it does not, if anyone has come across this issue and have resolved it could you please let me know.
Kind Regards.
10-23-2013 06:37 AM
Hello Duncan,
Okey you provide us information ( a screenshoot even ) but what is the problem exactly?
Do you want to prevent DoS attacks? what are you looking for at this moment?
Regards
10-23-2013 08:42 AM
Hi Julio
The problem is that our network connected to the ASA router on the inside, address range 192.168.254.0 /24 cannot
reach our partners site at 62.233.82.181 on port 80 connected on the outside.
This seems to be the only website that we cannot access everything else that is going through our ASA firewall is returning back this includes all other websites we visit.
What I would like to do is be able to setup a access rule or policy to resolve this as you can see from the screen shot, there is some sort of syn attack.
As I mentioned above we rolled back to an earlier config that was allowing as access to the partners web site but for some reason does not any more.
Regards
10-23-2013 12:16 PM
Hello Duncan,
I now understand your issue,
Can you post or send me the configuration with the problem?
Regards,
Jcarvaja
follow me on http://laguiadelnetworking.com
10-23-2013 01:23 PM
I see how the ASA is reporting this and actually it could be related to the source not being able to receive a reply back from the destination thus reporting a SYN attack because all we see are SYN,SYN,SYN,SYN,SYN sent by the source 192.168.254.X address.
What I would ask of you would be the next:
I know that the packet tracer already indicates that it allows it through but we need to look at the phases that it is going through so please post the output.
I also need the output from a working network to the remote site, the reason I need this information would be for us to confirm that they are going out via the same IP and to confirm if there are any differences.
10-23-2013 01:24 PM
I mean a packet-tracer from the working network that resides behind the ASA.
10-28-2013 06:09 PM
Do you still need assistance, did any of the information given help you out?
10-31-2013 10:52 AM
Please update the ticket as resolved or answered so we can close out followup.
11-01-2013 02:00 AM
HI Jumora
I have tried everything to rectify that I can think off, access-controls list creating class-maps policy maps, to include embryonic connections
turning off Basic threat detection. I have even connected straight into the ASA inside port that the network connects to and still cannot open or reach the partners site, but I can reach any other website on the network. Have also connected into the router which is the next hop after the ASA onto the internet and yes that does allow me to reach the partners site and open it in my web browser. So I am at a loss in trying to resolve this.
If you have any other suggestion Jumora I would be glad to hear them and try and put them into action if possible, as this is a working network down time is hard to arrange right away
Kind Regards.
11-02-2013 07:56 PM
OK, when you put the PC in front of the ASA what IP address do you dive it, why I want to know this is because if it is any address other than the IP address that we have for PAT on the ASA and is one of the addresses on the WAN side of the ASA I will change it from the PAT just to see if after we do this change you can reach the site.
11-04-2013 01:15 AM
Hi Jumora
The IP address I give it is a private IP address, the strange thing is that I can reach all other sites while been plugged into the Inside on the ASA firewall, however I cannot reach the http://partners.highnet.com/login/ ip address 62.233.82.181 cannot figure this one out.
Regards
11-04-2013 12:14 PM
Ok, we can do two things here, one open up a TAC case if you have a contract and I can help you out or two you would need to send me the configuration and tell me what IP address you placed on the PC when it was able to reach the site when it was not behind the ASA so we can try to map that address to a PAT to see if then internal users are able to reach the site.
11-06-2013 02:58 AM
Hi Jumora
Thanks for the details, we are now looking at setting up a smartnet account for our ASA routers and progress from there.
Thanks very much for your time and effort muct appreciated.
We can close this post.
Kind Regrads
11-06-2013 09:28 AM
Please rate the answer.
11-06-2013 02:53 PM
Please rate the assistance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide