Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
4
Helpful
4
Replies

Cannot access network using http or telnet behind asa inside interface, but ping works

istvan.kelemen1
Level 1
Level 1

‎09-12-2015 07:21 AM - edited ‎03-11-2019 11:35 PM

Hello,

 

I am using a ASAv. It has an inside interface. On the same subnet I have a management station. (ASA inside int and the laptop are on the same subnet) Behind the ASA's inside int there is a router. It has subnets behind. I can ping the subnets located behind the router from the management laptop, but http, telnet, https fails.

 

Any idea? 

Labels:
0 Helpful
4 Replies 4

Arie
Level 1
Level 1

‎09-14-2015 06:35 AM

Do you have any access-lists configured on your inside interfaces in and out? If so, remove them if possible and otherwise add exceptions for HTTP, HTTPS, et cetera.

0 Helpful

Rishabh Seth
Level 7
Level 7

‎09-14-2015 10:59 AM

From your description above, your topology looks like this:

 

(some subnets behind router)-----------[router]------------[switch]----------(inside)[ASAv]

                                                                                           |

                                                                           [Management station]

 

I made a switch coz you have mentioned that the management station router and inside interface are on same subnet.

 

Correct me if my understanding of your topology is wrong.

 

Based on above description provide following data:

 

>> What is the default gateway on the management station? Is it router or firewall?

>> Explain the expected data flow path.

>> Check for any access-list which might be blocking the traffic on router.

 

Thanks,

R.Seth 

                          

istvan.kelemen1
Level 1
Level 1

‎09-15-2015 06:56 PM

Hello Guys,

 

It is strange.. I have edited this post seems like it was not saved.

I found the solution. The problem was asymmetric routing. ASA was the GW.

I have created a tcp bypass policy, it solved the problem.

 

Thanks for posting anyway.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to istvan.kelemen1

‎09-15-2015 07:47 PM

Ping worked because icmp does not reply on the 3-way handshake.

The connection-oriented tcp (used by http and telnet that your test was failing on) does require it and a stateful firewall looks for the tcp connection to be active to allow the return traffic in a conversation.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card