10-08-2013 09:25 AM - edited 03-11-2019 07:48 PM
Hello everyone,
I have recently started learning about ASAs and I had an issue while deploying an ASA. Previously we had a router which was acting as firewall and I was assigned the task to replace it with ASA 5512. I have configured the access rules and everything. But when I bring up the ASA we were unable to reach the mail server from outside. when I do wireshark on the mail server it say that
6 0.250255000 X.X.X.2 Y.Y.Y.15 TCP 74 40092 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=344785118 TSecr=0 WS=64
7 0.250319000 Y.Y.Y.15 X.X.X.2 TCP 74 http > 40092 [SYN, ACK] Seq=0 Ack=1 Win=8192 [TCP CHECKSUM INCORRECT] Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=181293696 TSecr=344785118
8 0.252076000 X.X.X.2 Y.Y.Y.15 TCP 60 40092 > http [RST, ACK] Seq=1 Ack=1 Win=524288 Len=0
where X.X.X.2 is the external Ip from which I was trying to open mail server on port 80 and Y.Y.Y.15 is my mail server.
and On the ASA it says
6|Oct 01 2013|19:08:31|106015|70.197.81.228|1305|Y.Y.Y.85|80|Deny TCP (no connection) from 70.197.81.228/1305 to Y.Y.Y.85/80 flags PSH ACK on interface External_Interface
6|Oct 01 2013|19:08:31|106015|70.197.81.228|1305|Y.Y.Y.85|80|Deny TCP (no connection) from 70.197.81.228/1305 to Y.Y.Y.85/80 flags PSH ACK on interface External_Interface
6|Oct 01 2013|19:08:31|106015|70.197.81.228|1305|Y.Y.Y.85|80|Deny TCP (no connection) from 70.197.81.228/1305 to Y.Y.Y.85/80 flags FIN ACK on interface External_Interface
6|Oct 01 2013|19:08:31|106015|70.197.81.228|1305|Y.Y.Y.85|80|Deny TCP (no connection) from 70.197.81.228/1305 to Y.Y.Y.85/80 flags FIN ACK on interface External_Interface
in here Y.Y.Y.85 is external Ip address for my mailserver
I have tried tcp state bypass but didn't work. Can anyone Please help me with this....!!
Thanks in advance...
Raj
Solved! Go to Solution.
10-08-2013 11:58 AM
Have you run a packet-trace for the source and destination to see if it is showing any rules or NATs that would drop the traffic?
Run something like this
packet-trace input outside tcp 10.10.10.2 1032 192.168.2.15 25
(using your IPs in the last comment)
and see if that shows any reason for it to be dropped or denied.
10-08-2013 11:59 AM
Hi,
Well any routing related problem could be checked with simply following the routing tables on the L3 devices in the network and checking the network settings on the related host devices.
To be honest it would be way simpler to check the ASA configurations for any problems and also issue "packet-tracer" commands to simulate an incoming connection from external network to the server.
- Jouni
10-08-2013 11:07 AM
Hi,
Log messages seem to point to a situation where the ASA is blocking a packet for a connection that doesnt exist on the ASA yet or has beeb removed from it before.
I think the ASA usually sends TCP Reset to the host when the ASA is configured to Reset a connection that is not allowed according to its ACLs.
I guess this might also be due to Asymmetric Routing. For example if the TCP SYN arrived to the server from some OTHER device than the ASA and the server then send traffic through its default gateway which would be ASA then ASA would drop the SYN, ACK since it never saw the original SYN
- Jouni
10-08-2013 11:53 AM
Hello Jouni,
Thank you for the reply. I don't think I have any asymmetric route. Can you please let me know how to look for an asymmetric route and more over when I captured asp-drop packets I found this
6: 14:40:39.724068 192.168.2.15.80 > 10.10.10.2.41828: S 1930943544:1930943544(0) ack 1214614617 win 8192
7: 14:40:39.974269 192.168.2.15.80 > 10.10.10.2.41829: S 2640695216:2640695216(0) ack 2109706537 win 8192
8: 14:40:45.724556 192.168.2.15.80 > 10.10.10.2.41828: S 1932490255:1932490255(0) ack 1214614617 win 8192
9: 14:40:45.974375 192.168.2.15.80 > 10.10.10.2.41829: S 2642506900:2642506900(0) ack 2109706537 win 8192
(Here 192.168.2.15 is my mailserver and 10.10.10.2 is my external ip I am testing it in the lab)
but I didn't mention any rule which blocks the packets.
--
Raj
10-08-2013 11:58 AM
Have you run a packet-trace for the source and destination to see if it is showing any rules or NATs that would drop the traffic?
Run something like this
packet-trace input outside tcp 10.10.10.2 1032 192.168.2.15 25
(using your IPs in the last comment)
and see if that shows any reason for it to be dropped or denied.
10-08-2013 11:59 AM
Hi,
Well any routing related problem could be checked with simply following the routing tables on the L3 devices in the network and checking the network settings on the related host devices.
To be honest it would be way simpler to check the ASA configurations for any problems and also issue "packet-tracer" commands to simulate an incoming connection from external network to the server.
- Jouni
10-11-2013 09:25 AM
thank you Jouni,
the issue was resolved. it was a nat rule which was not allowing the traffic.
--
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide