Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5170
Views
0
Helpful
5
Replies

ASA TCP Reset-O

guilherme
Level 1
Level 1

‎10-31-2011 10:23 AM - edited ‎03-11-2019 02:44 PM

Hi,

Here's the current scenario:

[LAN] <---> ASA 5520 <---> Cisco 2911 <---> [Internet] <---> Server A

                         |

                         |

                     [DMZ]

Whenever I access a website running in "server A" (only HTTP traffic) everything works fine.

The problem is that when I try to access a different service on the same server but listening on port 2000/tcp I get the TCP Reset-O message on the ASA and the workstation's browser says that "Internet Explorer cannot display the webpage".

A weird thing: if I access this service from a machine on the DMZ, it works fine. From the LAN (Inside) it does not work. The main difference is that from the LAN to OUTSIDE the ASA does NAT. From the DMZ to OUTSIDE it's just routed.

I did another test from the LAN and the captured traffic is attached.

I've been messing around with protocol inspects and firewall + NAT rules on the ASA but no luck at all.

Any tips about this?

Thanks in advice.

Labels:
Preview file
21 KB
0 Helpful
5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-31-2011 11:25 AM

Hello Guilherme,

Is it possible that you could take a capture on the outside interface using the natted IP, and also do a

capture asp drop:

          -capture asp type asp-drop all

and provide us the capture on the outside interface and also the following output:

          -Sh capture asp | include (Servers A ip)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

guilherme
Level 1
Level 1
In response to Julio Carvajal

‎10-31-2011 12:53 PM

Hi,

The capture I attached to the first message is from the outside interface. The IP 172.16.1.253 belongs to the ASA's outside interface between the ASA and the 2911 router.

I did the asp capture but it didn't show anything related to the destination IP (server A).

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to guilherme

‎10-31-2011 03:12 PM

Guellerme,

Is the traffic that you are passing on that port web traffic? See the problem is that the firewall has a default inspection policy that will look for Skinny (SCCP) traffic on that specific port. If he sees any other type of information (called FTP, HTTP or any other service) that is not realted to SCCP it will drop the connection.

You can avoid that by disabling the Skinny inspection under the global policy

policy-map global_policy

class inspection_default

  no inspect skinny

Hope this helps.

Mike

Mike
0 Helpful

guilherme
Level 1
Level 1
In response to Maykol Rojas

‎11-01-2011 04:03 AM

Hi Mike,

Yes it is web traffic however I have already disabled Skinny inspection and the problem persists.

There must be something wrong because from the DMZ (routed, no NAT) it works just fine and from the inside it doesn't.

Thanks.

Guilherme

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to guilherme

‎11-01-2011 10:41 AM

Can I see the configuration? And have the Addresses involved?

Mike

Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card