10-31-2011 10:23 AM - edited 03-11-2019 02:44 PM
Hi,
Here's the current scenario:
[LAN] <---> ASA 5520 <---> Cisco 2911 <---> [Internet] <---> Server A
|
|
[DMZ]
Whenever I access a website running in "server A" (only HTTP traffic) everything works fine.
The problem is that when I try to access a different service on the same server but listening on port 2000/tcp I get the TCP Reset-O message on the ASA and the workstation's browser says that "Internet Explorer cannot display the webpage".
A weird thing: if I access this service from a machine on the DMZ, it works fine. From the LAN (Inside) it does not work. The main difference is that from the LAN to OUTSIDE the ASA does NAT. From the DMZ to OUTSIDE it's just routed.
I did another test from the LAN and the captured traffic is attached.
I've been messing around with protocol inspects and firewall + NAT rules on the ASA but no luck at all.
Any tips about this?
Thanks in advice.
10-31-2011 11:25 AM
Hello Guilherme,
Is it possible that you could take a capture on the outside interface using the natted IP, and also do a
capture asp drop:
-capture asp type asp-drop all
and provide us the capture on the outside interface and also the following output:
-Sh capture asp | include (Servers A ip)
Regards,
10-31-2011 12:53 PM
Hi,
The capture I attached to the first message is from the outside interface. The IP 172.16.1.253 belongs to the ASA's outside interface between the ASA and the 2911 router.
I did the asp capture but it didn't show anything related to the destination IP (server A).
10-31-2011 03:12 PM
Guellerme,
Is the traffic that you are passing on that port web traffic? See the problem is that the firewall has a default inspection policy that will look for Skinny (SCCP) traffic on that specific port. If he sees any other type of information (called FTP, HTTP or any other service) that is not realted to SCCP it will drop the connection.
You can avoid that by disabling the Skinny inspection under the global policy
policy-map global_policy
class inspection_default
no inspect skinny
Hope this helps.
Mike
11-01-2011 04:03 AM
Hi Mike,
Yes it is web traffic however I have already disabled Skinny inspection and the problem persists.
There must be something wrong because from the DMZ (routed, no NAT) it works just fine and from the inside it doesn't.
Thanks.
Guilherme
11-01-2011 10:41 AM
Can I see the configuration? And have the Addresses involved?
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide