12-20-2013 01:43 PM - edited 03-11-2019 08:21 PM
Hi all,
i have a strange error on my ASA5515-X and I can not understand what can be.
I natted server-mail with services https:
object network Owa_10.0.1.4
host 10.0.1.4
object network Owa_10.0.1.4
nat (INSIDE,OUTSIDE) static interface service tcp https https
access-list INSIDE_access_in extended permit ip any any
access-list OUTSIDE_access_in extended permit ip any any
access-group INSIDE_access_in in interface INSIDE
access-group OUTSIDE_access_in in interface OUTSIDE
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 10.0.1.254 255.255.0.0
!
interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address 217.5x.xxx.xxx 255.255.255.240
!
If i send a mail from inside to outside mail reaches the receiver, if mail is sent from outside (such as from @Gmail.com to internal mailbox) mail does not arrive. Attached there are logs with TCP Reset-O.
what could be the issue? I have something wrong in the configuration?
Thanks in advance.
M
12-20-2013 03:01 PM
Hello Marco,
Your configuration looks all right, I would say "permit ip any any"
is okay on this case for troubleshooting purposes but do not remember later change rules on outside and only allow services you need to. Besides your configuration is fine. Also in log provided connection looks okay from firewall perspective.
Here is meaning of Reset-O and Reset-I according title on this post:
- TCP Reset-I - The client tear down the connection (typical in an SMTP or IMAP exchange -I = inside interface).
- TCP Reset-O - The server was not listening on that protocol at that time (usually seen as coming from SMTP servers -O = Outside interface).
I would suggest you to check if server is listening on ports required (netstat works on this), run some captures on your server maybe using wireshark in order to confirm if server is resetting connection and check out for incoming traffic.
Run some captures on the firewall in order to confirm the reset is comming from Outside.
capture inside interface inside match tcp any host 10.0.1.4 eq 443
capture outside interface outside match tcp any host 217.5x.xxx.xxx eq 443
capture asp type asp all >>> in order to check packets firewall has dropped.
show capture asp | inc 10.0.1.4
show capture asp | inc 217.5x.xxx.xxx.443
show capture inside >>>> check for tcp reset flag (R)
Captures:
https://supportforums.cisco.com/docs/DOC-17345
Jhn
12-21-2013 01:33 PM
Hi Jhn,
thanks a lot for reply.
Sure my acl any\any is only for this stage of troubleshhoting :-)
Later i will check on server mail with "netstat" commant for listening ports.
I take this opportunity to ask you: if i nat service https server mail on same ip address of outside interface of firewall, and if i setup a vpn anyconnect it may not work right? (overlaps https anyconnect\server mail)
Paste configuration of Anyconnect Vpn:
interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address 217.56.23.190 255.255.255.240
crypto ikev2 enable OUTSIDE
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
webvpn
enable OUTSIDE
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
anyconnect profiles VpnAnyConnect_client_profile disk0:/VpnAnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_VpnAnyConnect internal
group-policy GroupPolicy_VpnAnyConnect attributes
wins-server none
dns-server value 10.0.1.2 10.0.1.9
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Reti_Interne
default-domain value bdossf.local
webvpn
anyconnect profiles value VpnAnyConnect_client_profile type user
tunnel-group VpnAnyConnect type remote-access
tunnel-group VpnAnyConnect general-attributes
address-pool PoolVpnAnyConnect
authentication-server-group RADIUS
default-group-policy GroupPolicy_VpnAnyConnect
tunnel-group VpnAnyConnect webvpn-attributes
group-alias VpnAnyConnect enable
!
I should change port of AnyConnect? or do anything else?
Thanks.
M
12-21-2013 11:51 PM
12-23-2013 11:10 AM
Hello,
Yes, the Anyconnect will use port 443 (this is used as it will be open on almost any location) but if you want to forward traffc to a internal webserver while having this configuration then you are in troubles.
Proposed Configuration
config te
webbpn
no enable outside
port 442
enable outside
exit
write mem
Looking for some Networking assistance?? Contact me at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide