ASA5510 is blocking one specific website

Daniel Leonard · ‎06-05-2014

Hello everybody,

At the customer site, we have a ASA5510 (ASA version 9.1.2 - ASDM 7.2.1).

The problem is that there is only one particular website blocked, without any logic reason. According to the configuration we close no specific traffic. In fact; all traffic from that interface (higher security level) can go to the (WAN) interface with a lower security level.

ASA interface settings:

inside: 192.168.1.254/24 (local lan)
ts-data: 172.19.4.240/24 (another local LAN interface, used for traffic acrossing private WAN)
ts-inet: 83.167.X.X (this is the public internet connection

example:
From host 192.168.1.51(inside), the website http://www.adhocdata.nl could not be reached and is blocked by the ASA. The strange thing is, it seems to be blocked by the wrong interface/access-list (ts-data). This interface has nothing to do with it...because the traffic is initiated from the inside interface to the TS-inet (WAN)interface. So why is the wrong access list blocking only this specific website. All the other web traffic runs smoothly.

See attachment for log information.

Hopefully someone can help me.

Thanks in advance.

Please rate or mark answered for helpful posts.

Marius Gunnerud · ‎06-05-2014

Is http://www.adhocdata.nl your company website? if so is this server located behind your ASA in a DMZ?

--

Please rememebr to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Daniel Leonard · ‎06-05-2014

No, that's a website that our customer wants to visit.

Please rate or mark answered for helpful posts.

Marius Gunnerud · ‎06-05-2014

So your customer located off TS-inet interface and the webserver is located off TS-data..correct?

Would you be able to post a full running config (sanitised)?

--

Please rememebr to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Daniel Leonard · ‎06-05-2014

No not at all.

The customer host 192.168.1.51 (the host that wants to visit the website) is located behind the "inside" interface. Traffic to the web server goes through the interface "ts-inet" (the ts-inet interface is used as outside interface).

In short; the customer wants to visit that website. It's just an external website.

I'll see if I can post a config.

Please rate or mark answered for helpful posts.

Daniel Leonard · ‎06-05-2014

Here, the (stripped) configuration.

Please rate or mark answered for helpful posts.

Marius Gunnerud · ‎06-05-2014

at first glance there is nothing wrong with the configuration.

If you do an nslookup adhocdata.nl from a local PC does it resolve to the correct IP (I got 217.119.236.139)

if you do a packet tracer on the ASA is the packet allowed through the ASA?

packet-tracer input inside tcp 192.168.1.2 12345 217.119.236.139 80 det

Please post the output here.

--

Please rememebr to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Daniel Leonard · ‎06-05-2014

Thanks.. Here's the output:

Result of the command: "packet-tracer input inside tcp 192.168.1.2 12345 217.119.236.139 80 det"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xace9dd78, priority=1, domain=permit, deny=false

hits=397248107, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=inside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 ts-inet

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_any-01

nat (inside,ts-inet) dynamic interface

Additional Information:

Dynamic translate 192.168.1.2/12345 to 123.45.67.89/12345

Forward Flow based lookup yields rule:

in id=0xacbfcf90, priority=6, domain=nat, deny=false

hits=436869, user_data=0xacbfb9c0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=inside, output_ifc=ts-inet

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xade28538, priority=1, domain=nat-per-session, deny=true

hits=4006169, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xacec54f0, priority=0, domain=inspect-ip-options, deny=true

hits=5013604, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xade28538, priority=1, domain=nat-per-session, deny=true

hits=4006171, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xacdf8498, priority=0, domain=inspect-ip-options, deny=true

hits=2507875, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=ts-inet, output_ifc=any

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 7467808, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: ts-inet

output-status: up

output-line-status: up

Action: allow

Please rate or mark answered for helpful posts.

Marius Gunnerud · ‎06-05-2014

As per the packet tracer traffic should be allowed through the ASA to that IP...This could be DNS resolution issue. Have you confirmed that the URL resolves to the correct IP?

--

Please rememebr to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Daniel Leonard · ‎06-05-2014

yes, the right IP is the one you can see in the attached picture... Resolving looks good.

Please rate or mark answered for helpful posts.

Daniel Leonard · ‎06-05-2014

The packet trace goes well ... it's strange that a different interface blocks the traffic to that website (see the previously posted picture).

Please rate or mark answered for helpful posts.

Marius Gunnerud · ‎06-05-2014

Are you sure there is no backdoor into the ts-data network? Without knowing the in's and out's of your network, could there be a routing issue that is sending that traffic to the ts-data interface?

--

Please rememebr to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Daniel Leonard · ‎06-05-2014

yes I'm sure of it...

Please rate or mark answered for helpful posts.

Marius Gunnerud · ‎06-05-2014

I suggest opening a support case with TAC.

--

Please rememebr to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marvin Rhoads · ‎06-05-2014

I'd suggest trying a packet capture to show the outbound traffic going into and leaving the ASA and watching for any return traffic.

Please refer to this Step-By-Step Procedure to Configure Packet Capture in ASA/PIX using CLI and run the following while trying to access the website from 192.168.1.51:

access-list asdm_cap_selector_inside extended permit ip host 192.168.1.51 host 217.119.236.139 access-list asdm_cap_selector_inside extended permit ip host 217.119.236.139 host 192.168.1.51 access-list asdm_cap_selector_outside extended permit ip host 217.119.236.139 host 192.168.1.51 access-list asdm_cap_selector_outside extended permit ip host 192.168.1.51 host 217.119.236.139

capture capin interface inside access-list asdm_cap_selector_inside capture capout interface outside access-list asdm_cap_selector_outside

show capture capin show capture capout

That should definitively show whether the ASA is operating as intended.