06-05-2014 03:37 AM - edited 03-11-2019 09:17 PM
Hello everybody,
At the customer site, we have a ASA5510 (ASA version 9.1.2 - ASDM 7.2.1).
The problem is that there is only one particular website blocked, without any logic reason. According to the configuration we close no specific traffic. In fact; all traffic from that interface (higher security level) can go to the (WAN) interface with a lower security level.
ASA interface settings:
example:
From host 192.168.1.51(inside), the website http://www.adhocdata.nl could not be reached and is blocked by the ASA. The strange thing is, it seems to be blocked by the wrong interface/access-list (ts-data). This interface has nothing to do with it...because the traffic is initiated from the inside interface to the TS-inet (WAN)interface. So why is the wrong access list blocking only this specific website. All the other web traffic runs smoothly.
See attachment for log information.
Hopefully someone can help me.
Thanks in advance.
06-05-2014 03:43 AM
Is http://www.adhocdata.nl your company website? if so is this server located behind your ASA in a DMZ?
--
Please rememebr to select a correct answer and rate helpful posts
06-05-2014 04:03 AM
No, that's a website that our customer wants to visit.
06-05-2014 04:07 AM
So your customer located off TS-inet interface and the webserver is located off TS-data..correct?
Would you be able to post a full running config (sanitised)?
--
Please rememebr to select a correct answer and rate helpful posts
06-05-2014 04:24 AM
No not at all.
The customer host 192.168.1.51 (the host that wants to visit the website) is located behind the "inside" interface. Traffic to the web server goes through the interface "ts-inet" (the ts-inet interface is used as outside interface).
In short; the customer wants to visit that website. It's just an external website.
I'll see if I can post a config.
06-05-2014 05:21 AM
06-05-2014 06:17 AM
at first glance there is nothing wrong with the configuration.
If you do an nslookup adhocdata.nl from a local PC does it resolve to the correct IP (I got 217.119.236.139)
if you do a packet tracer on the ASA is the packet allowed through the ASA?
packet-tracer input inside tcp 192.168.1.2 12345 217.119.236.139 80 det
Please post the output here.
--
Please rememebr to select a correct answer and rate helpful posts
06-05-2014 06:23 AM
Thanks.. Here's the output:
06-05-2014 06:25 AM
As per the packet tracer traffic should be allowed through the ASA to that IP...This could be DNS resolution issue. Have you confirmed that the URL resolves to the correct IP?
--
Please rememebr to select a correct answer and rate helpful posts
06-05-2014 06:39 AM
yes, the right IP is the one you can see in the attached picture... Resolving looks good.
06-05-2014 06:26 AM
The packet trace goes well ... it's strange that a different interface blocks the traffic to that website (see the previously posted picture).
06-05-2014 06:43 AM
Are you sure there is no backdoor into the ts-data network? Without knowing the in's and out's of your network, could there be a routing issue that is sending that traffic to the ts-data interface?
--
Please rememebr to select a correct answer and rate helpful posts
06-05-2014 06:52 AM
yes I'm sure of it...
06-05-2014 07:48 AM
I suggest opening a support case with TAC.
--
Please rememebr to select a correct answer and rate helpful posts
06-05-2014 07:55 AM
I'd suggest trying a packet capture to show the outbound traffic going into and leaving the ASA and watching for any return traffic.
Please refer to this Step-By-Step Procedure to Configure Packet Capture in ASA/PIX using CLI and run the following while trying to access the website from 192.168.1.51:
access-list asdm_cap_selector_inside extended permit ip host 192.168.1.51 host 217.119.236.139
access-list asdm_cap_selector_inside extended permit ip host 217.119.236.139 host 192.168.1.51
access-list asdm_cap_selector_outside extended permit ip host 217.119.236.139 host 192.168.1.51
access-list asdm_cap_selector_outside extended permit ip host 192.168.1.51 host 217.119.236.139
capture capin interface inside access-list asdm_cap_selector_inside
capture capout interface outside access-list asdm_cap_selector_outside
show capture capin
show capture capout
That should definitively show whether the ASA is operating as intended.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide