12-21-2011 06:53 AM - edited 03-11-2019 03:04 PM
I've been doing a quick search without finding the correct answere to my problem, might be that i should done some more searching but here it goes.
I have a asa 5505 Sec plus with 3vlan, inside, outside and dmz.
On the outside i have 5 ip's for my use, and in the dmz i have a webserver that need to communicate with one sql server on the inside.
The "sql" also needs to be accessible from outside and thus has a static nat with a dynamic nat so it replies from same ip as on nat ie 72.72.72.5
webserver is natted with 72.72.72.6
sql inside ip is 192.168.1.2, gw 192.168.1.1
webserver ip is 192.168.2.100 gw 192.168.2.1
sec lvl on inside is 100 and on dmz 50
with a dynamic policy running inside-net/24 to dmz-network/24 translagt to dmz 192.168.2.2 i can get it to ping 1 way from inside to dmz, but not the other way around...
All i need is to open 1 port ie 6677 both ways for this communication to work.
I'm not very familiar with the CLI and do most stuf in GUI (know i should learn CLI, but time doesnt let me)...
any tips on what i need to do ???
on access rules i have just added everything from any to any using , ip, icmp, tcp and udp just to be sure... :-)
Happy for any pointers...
Solved! Go to Solution.
12-28-2011 12:47 PM
Result of the command: "show capture asp | include 10.40.96.250"
The command has been sent to the device
Result of the command: "show capture asp | include 10.40.97.249"
1: 10:42:25.095911 802.1Q vlan#12 P0 10.40.97.249.50236 > 10.40.97.1.443: F 3225389896:3225389896(0) ack 1076659730 win 64610 Drop-reason: (tcp-not-syn) First TCP packet not SYN
33: 10:43:33.459906 802.1Q vlan#12 P0 10.40.97.249.50237 > 10.40.97.1.443: F 327604559:327604559(0) ack 495284842 win 64610 Drop-reason: (tcp-not-syn) First TCP packet not SYN
Result of the command: "ciscoasa(config)# policy-map global_policy"
ciscoasa(config)# policy-map global_policy
^
ERROR: % Invalid input detected at '^' marker.
Result of the command: "ciscoasa(config-pmap)# class inspection_default"
ciscoasa(config-pmap)# class inspection_default
^
ERROR: % Invalid input detected at '^' marker.
Result of the command: "ciscoasa(config-pmap-c)# inspect netbios"
ciscoasa(config-pmap-c)# inspect netbios
^
ERROR: % Invalid input detected at '^' marker.
But if i got it right all i needed was to use GUI and check NETBIOS
12-28-2011 12:52 PM
Hello Thomas,
Great, Now as you can see on the ASP drop capture there is no information of a connection from
10.40.96.250 to 10.40.97.249.
That means the ASA is not dropping any packets regarding that connection.
The ASP capture will show us all the packets being dropped by the ASA.
Regards,
Do rate helpful posts
Julio
12-28-2011 12:58 PM
Might just be me beeing thickheaded but how does the program then run on same vlan, but not when going thru a firewall that doesnt stop anything ????
If everything works and nothing is stopped in the firewall why does the program run as it should if i put them on the same subnet ???
12-28-2011 01:02 PM
Hello Thomas,
Well, the thing is that the ASA is not sending any fin or reset packets, and we can see that the only communication between the both devices is ICMP and Netbios witch as you said is alreday being inspected.
We are not seein any other traffic than that, so the host is not generating that traffic. I would ask you to go to one of the servers and run wireshark to see all the packets the server is sending to the other server, if you see some other packets than the one the ASA is seeing, if we do see that, we have a problem but I do not think so!
Regards,
Julio
12-28-2011 01:28 PM
Result of the command: "show capture asp | include 10.40.96.250"
The command has been sent to the device
Result of the command: "show capture asp | include 10.40.97.249"
1: 10:42:25.095911 802.1Q vlan#12 P0 10.40.97.249.50236 > 10.40.97.1.443: F 3225389896:3225389896(0) ack 1076659730 win 64610 Drop-reason: (tcp-not-syn) First TCP packet not SYN
33: 10:43:33.459906 802.1Q vlan#12 P0 10.40.97.249.50237 > 10.40.97.1.443: F 327604559:327604559(0) ack 495284842 win 64610 Drop-reason: (tcp-not-syn) First TCP packet not SYN
45: 10:43:55.094981 802.1Q vlan#12 P0 10.40.97.249.50238 > 10.40.97.1.443: F 4120672693:4120672693(0) ack 1360193894 win 64019 Drop-reason: (tcp-not-syn) First TCP packet not SYN
82: 10:44:56.873184 802.1Q vlan#12 P0 10.40.97.249.50239 > 10.40.97.1.443: F 2360610787:2360610787(0) ack 2424600027 win 64006
88: 10:45:09.277161 802.1Q vlan#12 P0 10.40.97.249.50240 > 10.40.97.1.443: F 360959327:360959327(0) ack 1128913896 win 64289
121: 10:46:18.954036 802.1Q vlan#12 P0 10.40.97.249.50241 > 10.40.97.1.443: F 3141923867:3141923867(0) ack 1659756049 win 64284
124: 10:46:32.337171 802.1Q vlan#12 P0 10.40.97.249.50242 > 10.40.97.1.443: F 2378595180:2378595180(0) ack 654568008 win 64860
145: 10:46:56.907362 802.1Q vlan#12 P0 10.40.97.249.50243 > 10.40.97.1.443: F 3856822117:3856822117(0) ack 405135693 win 64287
149: 10:47:04.125405 802.1Q vlan#12 P0 10.40.97.249.50244 > 10.40.97.1.443: F 921196471:921196471(0) ack 2019207953 win 64284
169: 10:47:41.369396 802.1Q vlan#12 P0 10.40.97.249.50245 > 10.40.97.1.443: F 2636296891:2636296891(0) ack 249274895 win 64610
213: 10:48:58.035688 802.1Q vlan#12 P0 10.40.97.249.50246 > 10.40.97.1.443: F 458059164:458059164(0) ack 1291046186 win 64006
331: 10:53:05.397104 802.1Q vlan#12 P0 10.40.97.249.138 > 10.40.97.255.138: udp 201
386: 10:54:43.737678 802.1Q vlan#12 P0 10.40.97.249.50247 > 10.40.97.1.443: F 3100096422:3100096422(0) ack 2739315911 win 64146
394: 10:55:02.175802 802.1Q vlan#12 P0 10.40.97.249.50248 > 10.40.97.1.443: F 2516099401:2516099401(0) ack 1584244337 win 64216
404: 10:55:23.411691 802.1Q vlan#12 P0 10.40.97.249.50249 > 10.40.97.1.443: F 991639331:991639331(0) ack 345922884 win 64860
405: 10:55:23.425072 802.1Q vlan#12 P0 10.40.97.249.50250 > 10.40.97.1.443: F 1724500739:1724500739(0) ack 808308829 win 64583
407: 10:55:25.102640 802.1Q vlan#12 P0 10.40.97.249.50251 > 10.40.97.1.443: F 358050718:358050718(0) ack 1002310080 win 63520
408: 10:55:25.121087 802.1Q vlan#12 P0 10.40.97.249.50252 > 10.40.97.1.443: F 1647801910:1647801910(0) ack 1855718692 win 64477
409: 10:55:25.139549 802.1Q vlan#12 P0 10.40.97.249.50253 > 10.40.97.1.443: F 243789077:243789077(0) ack 619117799 win 64477
410: 10:55:25.152763 802.1Q vlan#12 P0 10.40.97.249.50254 > 10.40.97.1.443: F 2027031806:2027031806(0) ack 2986881492 win 64860
412: 10:55:26.018218 802.1Q vlan#12 P0 10.40.97.249.50255 > 10.40.97.1.443: F 2027048281:2027048281(0) ack 4173513857 win 64362
413: 10:55:26.035123 802.1Q vlan#12 P0 10.40.97.249.50257 > 10.40.97.1.443: F 601198219:601198219(0) ack 543560250 win 64499
414: 10:55:26.073452 802.1Q vlan#12 P0 10.40.97.249.50259 > 10.40.97.1.443: R 3779575388:3779575388(0) win 0
724: 11:05:04.157309 802.1Q vlan#12 P0 10.40.97.249.138 > 10.40.97.255.138: udp 201
running wireshark on webserver i get this too
1987 43.591954 HonHaiPr_67:3e:cc Cisco_9f:83:ec ARP 42 Who has 10.40.97.1? Tell 10.40.97.249
1988 43.592250 Cisco_9f:83:ec HonHaiPr_67:3e:cc ARP 60 10.40.97.1 is at 00:25:45:9f:83:ec
other than that mostly
1244 19.616006 10.40.97.249 10.40.96.250 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
1245 19.617028 10.40.96.250 10.40.97.249 ICMP 120 Destination unreachable (Port unreachable)
is this due to NETBIOS not getting thru the firewall ???
12-28-2011 01:38 PM
Hello Thomas,
No, Netbios is going thru the firewall, remember that we see the same packets on both interfaces of the ASA, so that traffic is traversing the ASA.
Port unreachable is not a ASA problem, its a Host problem (10.40.97.247)
Regards,
Julio
12-29-2011 06:24 AM
i just tried same thing with the dc/dns server but if i try to open a webpage on that server i get redriected to an Xenapp Server.
Couldt it be that it's redriecting wrong or something ?
I've checked both hosts and they both has netbios over tcpip on ...
And the thing i cant figure out is why it wont work when separated by a firewall but work when on same subnet if thers a problem
12-29-2011 08:03 AM
Hello Thomas,
And the thing i cant figure out is why it wont work when separated by a firewall but work when on same subnet if thers a proble.
I can understand why you are so confuse on that one because it looks like the ASA is dropping the packets but I have showed you that is not the ASA the one with problems. I would like you to take a capture on both host while they are on the same subnet and then compare it with the ones taken while they are separate-
Regards,
Julio
01-02-2012 06:59 AM
Gone go there tomorrow and try swapping network again.
Could there be some other nat config on the asa that could cause the problem ?
01-02-2012 09:46 AM
Hello Thomas,
I do not think this is a nat problem as we are using identity nat, I would like to see the capture on the same subnet to see what is going on okay.
Regards,
Julio
01-03-2012 03:24 AM
here's what i got, gone remove them again later so theire not open for all :-)
that should be all files....
hope you get more out of them than i do... hehe
01-03-2012 09:51 AM
Hello Thomas,
Checking the captures I can see a lot of packets that we do not see on the other captures ( the ones when the ASA is in the middle)
1-while the hosts are on the same subnet they send more traffic that if they were separated.
2- The ASA is traversing all the packets that he receives, that is why we see the same amount of packets on both interfaces, the ASA is not dropping packets.
There got to be something with the application that is blocking that communication if they are not on the same subnet ( not the ASA)
Julio
01-10-2012 06:53 AM
I could get the "traffic" up and running after adding the ip to host file :-)
then it all of a sudden was "ok"
Now i have just one last question :-)
To access the "webserver" in the DMZ from the rest of the Inside vlan what do i do ???
i can only access the webserver from the sql server on the inside vlan :-)
01-10-2012 11:06 AM
Hello Thomas,
Please add the following
global (dmz) 1 interface
Also on the ACL in interface inside the connection from other host to the Web-server should be allow
Regards,
Do rate the post that helps you over this issue.
Julio
01-18-2012 03:02 AM
That solved it :-)
just one last question and i gone "open" a new request for my "new 5510" :-)
Why did i add i to global pool 1 ??
when will i do that and when will i make a new pool ??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide