Hello Thomas,

Great, Now as you can see on the ASP drop capture there is no information of a connection from

10.40.96.250 to 10.40.97.249.

That means the ASA is not dropping any packets regarding that connection.

The ASP capture will show us all the packets being dropped by the ASA.

Regards,

Do rate helpful posts

Julio

Might just be me beeing thickheaded but how does the program then run on same vlan, but not when going thru a firewall that doesnt stop anything ????

If everything works and nothing is stopped in the firewall why does the program run as it should if i put them on the same subnet ???

Hello Thomas,

Well, the thing is that the ASA is not sending any fin or reset packets, and we can see that the only communication between the both devices is ICMP and Netbios witch as you said is alreday being inspected.

We are not seein any other traffic than that, so the host is not generating that traffic. I would ask you to go to one of the servers and run wireshark to see all the packets the server is sending to the other server, if you see some other packets than the one the ASA is seeing, if we do see that, we have a problem but I do not think so!

Regards,

Julio

Result of the command: "show capture asp | include 10.40.96.250"

The command has been sent to the device

Result of the command: "show capture asp | include 10.40.97.249"

   1: 10:42:25.095911 802.1Q vlan#12 P0 10.40.97.249.50236 > 10.40.97.1.443: F 3225389896:3225389896(0) ack 1076659730 win 64610 Drop-reason: (tcp-not-syn) First TCP packet not SYN
  33: 10:43:33.459906 802.1Q vlan#12 P0 10.40.97.249.50237 > 10.40.97.1.443: F 327604559:327604559(0) ack 495284842 win 64610 Drop-reason: (tcp-not-syn) First TCP packet not SYN
  45: 10:43:55.094981 802.1Q vlan#12 P0 10.40.97.249.50238 > 10.40.97.1.443: F 4120672693:4120672693(0) ack 1360193894 win 64019 Drop-reason: (tcp-not-syn) First TCP packet not SYN
  82: 10:44:56.873184 802.1Q vlan#12 P0 10.40.97.249.50239 > 10.40.97.1.443: F 2360610787:2360610787(0) ack 2424600027 win 64006
  88: 10:45:09.277161 802.1Q vlan#12 P0 10.40.97.249.50240 > 10.40.97.1.443: F 360959327:360959327(0) ack 1128913896 win 64289
121: 10:46:18.954036 802.1Q vlan#12 P0 10.40.97.249.50241 > 10.40.97.1.443: F 3141923867:3141923867(0) ack 1659756049 win 64284
124: 10:46:32.337171 802.1Q vlan#12 P0 10.40.97.249.50242 > 10.40.97.1.443: F 2378595180:2378595180(0) ack 654568008 win 64860
145: 10:46:56.907362 802.1Q vlan#12 P0 10.40.97.249.50243 > 10.40.97.1.443: F 3856822117:3856822117(0) ack 405135693 win 64287
149: 10:47:04.125405 802.1Q vlan#12 P0 10.40.97.249.50244 > 10.40.97.1.443: F 921196471:921196471(0) ack 2019207953 win 64284
169: 10:47:41.369396 802.1Q vlan#12 P0 10.40.97.249.50245 > 10.40.97.1.443: F 2636296891:2636296891(0) ack 249274895 win 64610
213: 10:48:58.035688 802.1Q vlan#12 P0 10.40.97.249.50246 > 10.40.97.1.443: F 458059164:458059164(0) ack 1291046186 win 64006
331: 10:53:05.397104 802.1Q vlan#12 P0 10.40.97.249.138 > 10.40.97.255.138:  udp 201
386: 10:54:43.737678 802.1Q vlan#12 P0 10.40.97.249.50247 > 10.40.97.1.443: F 3100096422:3100096422(0) ack 2739315911 win 64146
394: 10:55:02.175802 802.1Q vlan#12 P0 10.40.97.249.50248 > 10.40.97.1.443: F 2516099401:2516099401(0) ack 1584244337 win 64216
404: 10:55:23.411691 802.1Q vlan#12 P0 10.40.97.249.50249 > 10.40.97.1.443: F 991639331:991639331(0) ack 345922884 win 64860
405: 10:55:23.425072 802.1Q vlan#12 P0 10.40.97.249.50250 > 10.40.97.1.443: F 1724500739:1724500739(0) ack 808308829 win 64583
407: 10:55:25.102640 802.1Q vlan#12 P0 10.40.97.249.50251 > 10.40.97.1.443: F 358050718:358050718(0) ack 1002310080 win 63520
408: 10:55:25.121087 802.1Q vlan#12 P0 10.40.97.249.50252 > 10.40.97.1.443: F 1647801910:1647801910(0) ack 1855718692 win 64477
409: 10:55:25.139549 802.1Q vlan#12 P0 10.40.97.249.50253 > 10.40.97.1.443: F 243789077:243789077(0) ack 619117799 win 64477
410: 10:55:25.152763 802.1Q vlan#12 P0 10.40.97.249.50254 > 10.40.97.1.443: F 2027031806:2027031806(0) ack 2986881492 win 64860
412: 10:55:26.018218 802.1Q vlan#12 P0 10.40.97.249.50255 > 10.40.97.1.443: F 2027048281:2027048281(0) ack 4173513857 win 64362
413: 10:55:26.035123 802.1Q vlan#12 P0 10.40.97.249.50257 > 10.40.97.1.443: F 601198219:601198219(0) ack 543560250 win 64499
414: 10:55:26.073452 802.1Q vlan#12 P0 10.40.97.249.50259 > 10.40.97.1.443: R 3779575388:3779575388(0) win 0
724: 11:05:04.157309 802.1Q vlan#12 P0 10.40.97.249.138 > 10.40.97.255.138:  udp 201

running wireshark on webserver i get this too

1987 43.591954 HonHaiPr_67:3e:cc Cisco_9f:83:ec ARP 42 Who has 10.40.97.1?  Tell 10.40.97.249

1988 43.592250 Cisco_9f:83:ec HonHaiPr_67:3e:cc ARP 60 10.40.97.1 is at 00:25:45:9f:83:ec

other than that mostly

1244 19.616006 10.40.97.249 10.40.96.250 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

1245 19.617028 10.40.96.250 10.40.97.249 ICMP 120 Destination unreachable (Port unreachable)

is this due to NETBIOS not getting thru the firewall ???

Hello Thomas,

No, Netbios is going thru the firewall, remember that we see the same packets on both interfaces of the ASA, so that traffic is traversing the ASA.

Port unreachable is not a ASA problem, its a Host problem (10.40.97.247)

Regards,

Julio

i just tried same thing with the dc/dns server but if i try to open a webpage on that server i get redriected to an Xenapp Server.

Couldt it be that it's redriecting wrong or something ?

I've checked both hosts and they both has netbios over tcpip on ...

And the thing i cant figure out is why it wont work when separated by a firewall but work when on same subnet if thers a problem

Hello Thomas,

And the thing i cant figure out is why it wont work when separated by a firewall but work when on same subnet if thers a proble.

I can understand why you are so confuse on that one because it looks like the ASA is dropping the packets but I have showed you that is not the ASA the one with problems. I would like you to take a capture on both host while they are on the same subnet and then compare it with the ones taken while they are separate-

Regards,

Julio

Gone go there tomorrow and try swapping network again.

Could there be some other nat config on the asa that could cause the problem ?

Hello Thomas,

I do not think this is a nat problem as we are using identity nat, I would like to see the capture on the same subnet to see what is going on okay.

Regards,

Julio

here's what i got, gone remove them again later so theire not open for all  :-)

that should be all files....

hope you get more out of them than i do... hehe

Hello Thomas,

Checking the captures I can see a lot of packets that we do not see on the other captures ( the ones when the ASA is in the middle)

1-while the hosts are on the same subnet they send more traffic that if they were separated.

2- The ASA is traversing all the packets that he receives, that is why we see the same amount of packets on both interfaces, the ASA is not dropping packets.

There got to be something with the application that is blocking that communication if they are not on the same subnet ( not the ASA)

Julio

Hello Thomas,

Please add the following

global (dmz) 1 interface

Also on the ACL in interface inside the connection from other host to the Web-server should be allow

Regards,

Do rate the post that helps you over this issue.

Julio

That solved it :-)

just one last question and i gone "open" a new request for my "new 5510"  :-)

Why did i add i to global pool 1 ??

when will i do that and when will i make a new pool ??