10-27-2013 11:36 PM - edited 03-11-2019 07:56 PM
Hi
I have a problem when accessing a certain website..When i go to the Real Time Log Viewer this is the entry i Find for that specific Website/IP..
I can Acces the website when not going through the Firewall..and from my Mailserver which is NATed to a Public IP which goes throug the same Firewall..
I am not sure on which reason i should be looking at..
Thank You
A TCP connection between two hosts was deleted. The following list describes the message values:
• id —A unique identifier
• interface, real-address, real-port—The actual socket
• duration—The lifetime of the connection
• bytes—The data transfer of the connection
• user—The AAA name of the user
• reason—The action that causes the connection to terminate. Set the reason variable to one of the TCP termination reasons listed in Table 1-3.
10-28-2013 12:15 AM
Hi,
Are you saying that you are getting some log message about the connection that doesnt go through? If so can you post us the log message (you can remove any public IP addresses in the log messages)
Or are you saying that you want to know what to look for in the logs to determine the reason the connection is dropped?
I would suggest using the "packet-tracer" command to simulate the connection attempt.. This would tell which rules/configurations the packet matches on the firewall.
As I dont know your configuration I can only give a general example
packet-tracer input tcp
Could you insert to the above command the correct information and post the output of the command here. Remember to remove any public IP addresses from your post.
- Jouni
10-28-2013 12:57 AM
Hi Jouni
Thanks for the help here is the output you asked for....It seems to look ok but stll cannot access this one Webite fm behind the FW..I can ping and do a tracert but cannot open it..im baffled as it still seems to me something on FW is droping the connection..
Thnx Johnny
MMHS-WILMED-FW# packet-tracer input inside tcp 192.168.200.11 www xxx.xxx.xxx.$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_INTERFACE in interface inside
access-list INSIDE_INTERFACE extended permit tcp any any eq www
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 14705252, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
MMHS-WILMED-FW#
10-28-2013 01:01 AM
Jouni this is the Output i get when changing input to "outside"..
MMHS-WILMED-FW# packet-tracer input outside tcp 192.168.200.11 www xxx.xxx.xxx$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
10-28-2013 02:14 AM
Hi,
Have you been able to check why the source host is not getting any NAT/PAT translation for its connection attempt?
- Jouni
10-28-2013 02:50 AM
Hi like you said there are no NAT/PAT rules set up on the FW/
I have added NAT rule to test but still no luck..
MMHS-WILMED-FW# packet-tracer input inside tcp 192.168.200.34 www xx.xx.xx.$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_INTERFACE in interface inside
access-list INSIDE_INTERFACE extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab93f850, priority=12, domain=permit, deny=false
hits=13401288, user_data=0xa89f67c0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab7f7740, priority=0, domain=permit-ip-option, deny=true
hits=14102309, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) tcp 196.xx.xx.xx www 192.168.200.34 www netmask 255.255.255.255
match tcp inside host 192.168.200.34 eq 80 outside any
static translation to 196.xx.xx.xx/80
translate_hits = 3, untranslate_hits = 0
Additional Information:
Static translate 192.168.200.34/80 to 196.xx.xx.xx/80 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xac1bc5f0, priority=5, domain=nat, deny=false
hits=2, user_data=0xabef8a00, cs_id=0x0, flags=0x0, protocol=6
src ip=192.168.200.34, mask=255.255.255.255, port=80
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 196.xx.xx.xx www 192.168.200.34 www netmask 255.255.255.255
match tcp inside host 192.168.200.34 eq 80 outside any
static translation to 196.xx.xx.xx/80
translate_hits = 3, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac444e80, priority=5, domain=host, deny=false
hits=288, user_data=0xabef8a00, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.200.34, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xab7b1140, priority=0, domain=permit-ip-option, deny=true
hits=14357716, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 14795205, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
10-28-2013 02:51 AM
Here is the FW Config
ASA Version 8.2(1)
!
hostname MMHS-WILMED-FW
domain-name
enable password gvpDMPM3vsM7wX0g encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.1.1.9 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.1.1.2 255.255.255.248
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 255.255.255.248
!
interface Ethernet0/3
nameif internet
security-level 0
ip address 10.20.20.1 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone SAST 2
dns server-group DefaultDNS
domain-name xxxx
object-group service KotiePienaar tcp-udp
description Pienaa program
port-object eq 1235
port-object eq 1236
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list INSIDE_INTERFACE extended permit tcp host 192.168.200.9 any eq smtp
access-list INSIDE_INTERFACE extended permit tcp host 192.168.200.30 any eq smtp
access-list INSIDE_INTERFACE extended deny tcp any any eq smtp
access-list INSIDE_INTERFACE extended permit tcp any any eq www
access-list INSIDE_INTERFACE extended permit tcp any any eq https
access-list INSIDE_INTERFACE extended deny ip any host inactive
access-list INSIDE_INTERFACE extended deny ip any host
access-list INSIDE_INTERFACE extended deny ip any host
access-list INSIDE_INTERFACE extended deny ip any host
access-list INSIDE_INTERFACE extended deny ip any host
access-list INSIDE_INTERFACE extended deny object-group TCPUDP any any eq 29239
access-list INSIDE_INTERFACE extended permit ip any any
access-list INSIDE_INTERFACE extended permit icmp any any echo-reply
access-list INSIDE_INTERFACE extended permit icmp any any source-quench
access-list INSIDE_INTERFACE extended permit icmp any any unreachable
access-list INSIDE_INTERFACE extended permit icmp any any time-exceeded
access-list outside extended permit tcp any host 192.168.200.9 eq smtp
access-list outside extended deny tcp any any eq smtp
access-list outside extended permit ip any host
access-list outside extended permit tcp any host 196.168.200.9 eq www
access-list outside extended permit tcp any host 192.168.200.9 eq https
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any source-quench
access-list outside extended permit icmp any any unreachable
access-list outside extended permit icmp any any time-exceeded
access-list dmz_access_in extended permit ip any any
access-list OUTBOUND_MAIL extended permit tcp any host 192.168.200.9 eq smtp
access-list OUTBOUND_MAIL extended deny tcp any any eq smtp
access-list OUTBOUND_MAIL extended permit ip any host
access-list OUTBOUND_MAIL extended permit tcp any host 192.168.200.9 eq www
access-list OUTBOUND_MAIL extended permit tcp any host 192.168.200.9 eq https
access-list OUTBOUND_MAIL extended permit icmp any any echo-reply
access-list OUTBOUND_MAIL extended permit icmp any any source-quench
access-list OUTBOUND_MAIL extended permit icmp any any unreachable
access-list OUTBOUND_MAIL extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any echo-reply
!
tcp-map Map1
queue-limit 200 timeout 10
reserved-bits clear
synack-data allow
invalid-ack allow
seq-past-window allow
tcp-options range 9 255 allow
urgent-flag allow
!
pager lines 24
logging enable
logging list test level emergencies
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu internet 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (internet) 1 interface
access-group OUTBOUND_MAIL in interface outside
access-group INSIDE_INTERFACE in interface inside
access-group dmz_access_in in interface dmz
!
router rip
network 10.0.0.0
network 172.1.0.0
default-information originate
version 2
no auto-summary
!
route outside 0.0.0.0 0.0.0.0 172.1.1.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.200.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
no threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.197.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.198.2 255.255.255.255
threat-detection scanning-threat shun except ip-address 192.168.200.34 255.255.255.255
threat-detection scanning-threat shun except ip-address 192.168.200.3 255.255.255.255
threat-detection scanning-threat shun except ip-address 192.168.200.5 255.255.255.255
threat-detection scanning-threat shun except ip-address 192.168.200.7 255.255.255.255
threat-detection scanning-threat shun except ip-address 192.168.200.9 255.255.255.255
threat-detection scanning-threat shun duration 300
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username password xZKuL1o9jZHll3io encrypted privilege 15
usernam password KWii2NKIjaql9oaK encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
no dns-guard
no protocol-enforcement
no nat-rewrite
policy-map global_policy
class inspection_default
inspect dns
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1d43f94f7e4209a9e4867e025cb70f3a
10-28-2013 03:18 AM
Hi,
Didn't know that the ASA wasnt the Internet edge device in your network.
Then I guess you should monitor the logs for this Web site connection and look for the Built/Teardown messages for this connection and look at the Teardown messages reason for teardown.
Do you have some log messages that you could share?
You could also check the device in the Internet edge and see if there is any problems there.
- Jouni
10-28-2013 04:03 AM
Hi
This is the Teardown for the spesific adress i am trying to connect to....
8:03|302014|203.xx.xxx.xx|80|192.168.200.34|17980|Teardown TCP connection 14844355 for outside:203.xx.xxx.xx/80 to inside:192.168.200.34/17980 duration 0:00:30 bytes 0 SYN Timeout
I am busy checking the edge router to the Internet but see no problems sofar..
Thanx
10-28-2013 04:27 AM
Hi,
The above log message tells us that the connection attempt has gone through the firewall.
It would seem though that the initial 3 way handshake of the TCP connection doesnt go through (TCP SYN , TCP SYN ACK, TCP ACK) Usually it means that the remote host wont reply. It might be because of NAT configurations or some routing problems.
So would check that there is no routing or NAT related problem in your configurations.
Though if only a single host suffers from this problem on the same LAN then it sounds pretty strange.
- Jouni
10-28-2013 04:45 AM
Hi thanx if you look at the conf of the Internet router can you see any NAT Problems there? as the NAT for the mailserver where i can acces the website from,looks the same the nat for the internet...
When i do i tracert to the website from mailserver the route is the same as the tracrt from any other hosts exept for the break out routers ip that changes..
I can accses the website from only the mailserver no other hosts on my Lan can acces it and its only this spesific website the CEO wants to acces,,dont you just love that... that does not work,, never had any other problems with any sites...
Thanx for your help so far,, im out of ideas..
10-28-2013 06:53 AM
Hmm,
So I assume that 192.168.200.9 is the Mail Server from which connections are working?
It seems it has been configured with Policy Based Routing and its next hop address is modified for all traffic (and for some other public source network starting with 196.)
access-list 10 permit 192.168.200.9
access-list 20 permit 196.xx.xx.xx
!
route-map MAIL_VPN permit 10
match ip address 10
set ip next-hop 196.xx.xx.xx
!
route-map MAIL_VPN permit 20
match ip address 20
set ip next-hop 196.xx.xx.xx
interface FastEthernet0/0
description "TO FIREWALL"
ip address 172.1.1.10 255.255.255.248
ip nat inside
ip virtual-reassembly
ip policy route-map MAIL_VPN
duplex auto
speed auto
I am not sure why the connection to this Web site wouldnt work from the current ISP that holds the default route BUT I guess you could try configuring a static route on the router for it and pointing it towards the same gateway IP address as is configured in the above Policy Based Routing for the Mail server
ip route
- Jouni
10-28-2013 07:46 AM
Hi i tried what you mentioned above still not working it goes throug the gateway of the mailserver but still the same problem..I dont understand cause the mailserver 200.9 also goes throug the firewall so the same thing should be happening but its not...CAn this be purely that the website we are tying to connect to does not like the way the internet edge router is configured?
10-28-2013 04:25 AM
Hi Jouni this is the internet edge device conf..
You will see whe had to do this because we had 2 adsl routers with 2 seperate public IP,s one for internet and one for the mail..
Current configuration : 2761 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MMHS-WILMED-ROUTER
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$z/gK$ZmZYtqgG0LB.y0D8qgaSL0
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description "TO FIREWALL"
ip address 172.1.1.10 255.255.255.248
ip nat inside
ip virtual-reassembly
ip policy route-map MAIL_VPN
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
description "VPN"
encapsulation dot1Q 101
no snmp trap link-status
!
interface FastEthernet0/1.2
description LINK TO INTERNET ADSL
encapsulation dot1Q 201
ip address 196.xx.xx.xx 255.255.255.248
ip nat outside
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet0/1.3
description "OLD ADSL-MAIL ADSL"
encapsulation dot1Q 200
ip address 196.xx.xx.xx 255.255.255.248
ip nat outside
ip virtual-reassembly
no snmp trap link-status
!
router rip
version 2
network 10.0.0.0
network 172.1.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 196.xx.xx.xx
ip route 0.0.0.0 0.0.0.0 196.xx.xx.xx 90
ip route 196.xx.xx.xx 255.255.255.255 172.1.1.9
!
!
no ip http server
no ip http secure-server
ip nat pool INTERNET 196.xx.xx.xx 196.xx.xx.xx netmask 255.255.255.248
ip nat pool MAIL_VPN 196.xx.xx.xx 196.xx.xx.xx netmask 255.255.255.248
ip nat inside source list INTERNET pool INTERNET overload
ip nat inside source static 196.xx.xx.xx 196.xx.xx.xx
ip nat inside source static 192.168.200.9 196.xx.xx.xx
!
ip access-list extended INTERNAL
permit ip 192.168.200.0 0.0.0.255 any
permit ip 192.168.201.0 0.0.0.255 any
permit ip 192.168.202.0 0.0.0.255 any
permit ip 192.168.203.0 0.0.0.255 any
permit ip 192.168.204.0 0.0.0.255 any
permit ip 192.168.199.0 0.0.0.255 any
permit ip 192.168.207.0 0.0.0.255 any
ip access-list extended INTERNET
permit ip 192.168.200.0 0.0.0.255 any
permit ip 192.168.201.0 0.0.0.255 any
permit ip 192.168.202.0 0.0.0.255 any
permit ip 192.168.203.0 0.0.0.255 any
permit ip 192.168.204.0 0.0.0.255 any
permit ip 192.168.199.0 0.0.0.255 any
permit ip 192.168.207.0 0.0.0.255 any
!
access-list 10 permit 192.168.200.9
access-list 20 permit 196.xx.xx.xx
!
route-map MAIL_VPN permit 10
match ip address 10
set ip next-hop 196.xx.xx.xx
!
route-map MAIL_VPN permit 20
match ip address 20
set ip next-hop 196.xx.xx.xx
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password 7 15015A1F0F7A0B29253B26
login
!
end
10-28-2013 01:03 AM
Hi,
The first "packet-tracer" output using the interface "inside" is the correct one as we are checking what happens to a packet coming from your LAN network towards the external web server.
As we can see, there is no NAT phase for the source address 192.168.200.11. This means the host goes through the firewall without any NAT applied to it. This means the connection will naturally be dropped by the ISP since its a private IP address.
Chech the NAT configurations for this host. Make sure you have included in your Dynamic PAT rules
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide