Thank your for your suggestion. It is very useful for us.

supermanwwc · ‎01-18-2018

Hello,there may be some problems with the ASA's config, but I can find where are the problems.

Below is the basic config for this ASA:

DMZ ip address :　192.168.3.254/24

Outside ip address: 125.35.20.188/26

acs server ip address: 192.168.3.240/24 acs server version 5.2

DMZ access ACS server through HTTPS https:// 192.168.3.240/acsadmin successfully

Outside access ACS server through HTTPS https:// 192.168.3.240/acsadmin failed

https:// 125.35.20.145/acsadmin failed

where are the problems.thanks!

Please get the detailed config in the attached file

Ajay Saini · ‎01-20-2018

Hello,

From what I can tell, this is purely client-server issue and not a firewall issue. I checked the captures you attached, and:

-There is clearly a 3-way handshake done successfully

-There is a reset then sent from 218.247.232.86 at a certain time, could be the application specific traffic.

Couple of more things to figure out the issue:

1. Is the same traffic working from behind the firewall

2. Is there a WAF (Web Application Firewall) or any other appliance that could be causing this issue

3. There could be an IPS issue as well.

-HTH

AJ

View solution in original post

denilson.mota · ‎01-18-2018

Can you enable traffic from the lower security level to high security level and try it again.

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Cheers

supermanwwc · ‎01-18-2018

Thank you very much for your help.

but security level is different。

Ajay Saini · ‎01-18-2018

Hello,

The config looks okay, can you please take syslogs on ASA and attach here.

Also, could be an issue over internet routing for the NAT ip address 125.35.20.145.

You can take a capture:

capture capo interface outside match tcp any host 125.35.20.145

then initiate traffic from outside and take output of 'show cap capo'

Please take syslogs and attach these outputs. Same Security commands is not required since the security level is different for these interfaces.

-

HTH

AJ

supermanwwc · ‎01-18-2018

Thank you very much for your advice。

I didn't change any configuration，I tried again today，only this command to collect logs （capture capo interface outside match tcp any host 125.35.20.145 ）。

https://125.35.20.145/acsadmin/login.jsp successfully from Outside.

Please see the attached document，THAK YOUR VERY MUCH AGAIN.

Ajay Saini · ‎01-20-2018

Hello,

From what I can tell, this is purely client-server issue and not a firewall issue. I checked the captures you attached, and:

-There is clearly a 3-way handshake done successfully

-There is a reset then sent from 218.247.232.86 at a certain time, could be the application specific traffic.

Couple of more things to figure out the issue:

1. Is the same traffic working from behind the firewall

2. Is there a WAF (Web Application Firewall) or any other appliance that could be causing this issue

3. There could be an IPS issue as well.

-HTH

AJ

supermanwwc · ‎01-21-2018

Thank your for your suggestion. It is very useful for us.

Pawan Raut · ‎01-18-2018

Can you check you have proper ACL and NAT rule on ASA. Could you do packet-tracer on ASA

packet-tracer input outside tcp <sourec ip> 1025 <ACS IP address> 443 de

supermanwwc · ‎01-18-2018

Thank you very much for your help.

packet-tracer input outside tcp <sourec ip> 1025 <ACS IP address> 443 ，Why is the 1025 port？

Pawan Raut · ‎01-18-2018

1025 is just random source port you can take any port above 1024

ASA 5512 outside can not access ACS server through HTTPS in DMZ

Thank your for your suggestion. It is very useful for us.