cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1047
Views
0
Helpful
6
Replies

Help on accessing Device from remotely

Davy Ad
Level 1
Level 1

Hello All,

I need help on these;

I have a HP Printer  (HP Color LaserJet CM2320nf MFP), behind a Cisco ASA5505 Firewall.

I have been accessing this before until last week , I cannot any more. Also i cannot send scan document through it

Here is the Topology                                                         />>>>VM Ware-server

                                                                                     /

|                                                                                    |- - - - ->>>>>IP Phone & PC

===<<Internet>>>==>ASA5505======>ciscoSwitch2960|--------->>>>>IP Phone & PC

                                                                                     |- -- - - - >>>>PC

                                                                                     \

                                                                                       \->>>>>HP Color LaserJet CM2320nf MFP

* I can access ASA5505 with Https & Cisco Switch with https remotely

* I can Ping all devices behind the firewall & Switch remotely

* Two people in my office with the same subnet 10.10.44.0/24 can ping & HTTPS/http to ASA,Switch &  HP printer

* I have VPN Tunnel  up & connected to Remote site

Check Attachment for Configurations

Thanks

DaK

6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Davy,

In this case the most recommended troubleshooting step would be to do some captures to see whats going on.

I do not know the source and destiantion (printer) ip address, so I will give you a document so you can perdorm the captures and let us know the results.

https://supportforums.cisco.com/docs/DOC-1222

Please rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Jcarvaja,

Thanks for your response , i tried what is in document link you sent, but i could not get any information .

My Source IP address if from Remote site with VPN connection to Destination , Printer's Site.

Source subnet = 10.10.44.0/24 my PC is 10.10.44.23

Destination = 10.10.1.0/24 ( LAN Subnet of the Printer site ) and the Printer IP address is 10.10.1.198

My Cisco ASA is 5505 version 8.4 and these are my commands;

Capture PRINTER-CAPTURE_1 interface inside match tcp host 10.10.44.50 host 10.10.1.198 eq 80

Capture PRINTER-CAPTURE_1 interface inside buffer 1000000 packet 1522  trace trace-count 1000

Capture PRINTER-CAPTURE_1 interface outside buffer 1000000 packet 1522  trace trace-count 1000

and show capture output ;

ASA5505# sh capture PRINTER-CAPTURE_1

=

62: 14:19:05.576355 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: P 2745432908:2745433195(287) ack 45352991 win 16560

  63: 14:19:05.576630 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: . ack 2745433195 win 7993

  64: 14:19:05.576859 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: P 45352991:45353080(89) ack 2745433195 win 7993

  65: 14:19:05.576920 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: FP 45353080:45353080(0) ack 2745433195 win 7993

  66: 14:19:05.581680 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: . ack 45490856 win 16560

  67: 14:19:05.588699 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: P 3148480111:3148480396(285) ack 45490856 win 16560

  68: 14:19:05.588958 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . ack 3148480396 win 7995

  69: 14:19:05.589523 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: P 45490856:45491368(512) ack 3148480396 win 7995

  70: 14:19:05.590270 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45491368:45492748(1380) ack 3148480396 win 7995

  71: 14:19:05.590850 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45492748:45494128(1380) ack 3148480396 win 7995

  72: 14:19:05.632535 802.1Q vlan#1 P0 10.10.44.50.59421 > 10.10.1.1988.80: F 3008331229:3008331229(0) ack 38850175 win 16432

  73: 14:19:05.633145 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59421: . 38851555:38852935(1380) ack 3008331230 win 8003

  74: 14:19:05.655941 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: . ack 45353081 win 16537

  75: 14:19:05.656231 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: F 2745433195:2745433195(0) ack 45353081 win 16537

  76: 14:19:05.656414 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50..59427: . ack 2745433196 win 7992

  77: 14:19:05.665996 802.1Q vlan#1 P0 10.10.44.50.59422 > 10.10.1.198.80: F 1200183666:1200183666(0) ack 39038817 win 16432

Could anyone explaine while packect was drop please ?

====================================

Regards,

DaK

Message was edited by: Davy Ad

Dec 5, 2011 7:09 AM (in response to jcarvaja)

Re: Help on accessing Device from remotely

Hello Jcarvaja,

Thanks for your response , i tried what is in document link you sent, but i could not get any information .

My Source IP address if from Remote site with VPN connection to Destination , Printer's Site.

Source subnet = 10.10.44.0/24 my PC is 10.10.44.23

Destination = 10.10.1.0/24 ( LAN Subnet of the Printer site ) and the Printer IP address is 10.10.1.198

My Cisco ASA is 5505 version 8.4 and these are my commands;

Capture PRINTER-CAPTURE_1 interface inside match tcp host 10.10.44.50 host 10.10.1.198 eq 80

Capture PRINTER-CAPTURE_1 interface inside buffer 1000000 packet 1522  trace trace-count 1000

Capture PRINTER-CAPTURE_1 interface outside buffer 1000000 packet 1522  trace trace-count 1000

and show capture output ;

ASA5505# sh capture PRINTER-CAPTURE_1

=

62: 14:19:05.576355 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: P 2745432908:2745433195(287) ack 45352991 win 16560

  63: 14:19:05.576630 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: . ack 2745433195 win 7993

  64: 14:19:05.576859 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: P 45352991:45353080(89) ack 2745433195 win 7993

  65: 14:19:05.576920 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: FP 45353080:45353080(0) ack 2745433195 win 7993

  66: 14:19:05.581680 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: . ack 45490856 win 16560

  67: 14:19:05.588699 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: P 3148480111:3148480396(285) ack 45490856 win 16560

  68: 14:19:05.588958 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . ack 3148480396 win 7995

  69: 14:19:05.589523 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: P 45490856:45491368(512) ack 3148480396 win 7995

  70: 14:19:05.590270 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45491368:45492748(1380) ack 3148480396 win 7995

  71: 14:19:05.590850 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45492748:45494128(1380) ack 3148480396 win 7995

  72: 14:19:05.632535 802.1Q vlan#1 P0 10.10.44.50.59421 > 10.10.1.1988.80: F 3008331229:3008331229(0) ack 38850175 win 16432

  73: 14:19:05.633145 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59421: . 38851555:38852935(1380) ack 3008331230 win 8003

  74: 14:19:05.655941 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: . ack 45353081 win 16537

  75: 14:19:05.656231 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: F 2745433195:2745433195(0) ack 45353081 win 16537

  76: 14:19:05.656414 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50..59427: . ack 2745433196 win 7992

  77: 14:19:05.665996 802.1Q vlan#1 P0 10.10.44.50.59422 > 10.10.1.198.80: F 1200183666:1200183666(0) ack 39038817 win 16432

Could anyone explaine this please ?

====================================

Regards,

DaK

Hello Davy,

So the communication is between a remote PC on another site ( Site-toSite VPN).In this case you will need to create the captures on the inside interfaces of both end-points, where the traffic is not encrypted.

Also can you create the following capture:

capture asp type asp-drop all

And then provide us the following:

Show capture asp  | include printer_ip_add

This will show us if there are packets being dropped by the ASA algorithm.

Please rate hlepful posts.

Julio!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

I applied all commands you requested for, but at my ASA (REMOTE-ASAFW-C5505#) there is no Packet drop.

AT Printer's ASA ( Printer-ASAFW-C5505#) ,it shows only 7 packets captured .

REMOTE-ASAFW-C5505# sh capture PRINTER-CAPTURE_REMOTE-PC                                                               

0 packet captured

0 packet shown

============

Printer-ASAFW-C5505# sh capture PRINTER-CAPTURE_LAN_INSIDE

7 packets captured

   1: 15:25:20.633786 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: . 3670903544:3670904924(1380) ack 1395853171 win 7995

   2: 15:26:08.259996 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55160: . 3670726384:3670727764(1380) ack 1311056836 win 8004

   3: 15:26:10.588073 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: . 3670903544:3670904924(1380) ack 1395853171 win 7995

   4: 15:27:00.532336 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: . 3670903544:3670904924(1380) ack 1395853171 win 7995

   5: 15:27:07.817737 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55160: . 3670726384:3670727764(1380) ack 1311056836 win 8004

   6: 15:27:50.476110 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: R 3670904924:3670904924(0) win 0

   7: 15:28:07.365505 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55160: . 3670726384:3670727764(1380) ack 1311056836 win 8004

Printer-ASAFW-C5505# capture ASP type asp-drop all

Printer-ASAFW-C5505# capture ASP type asp-drop all

< EMPTY/NO OUPUT>

Printer-ASAFW-C5505# Show capture ASP  | include 10.10.1.198 

< EMPTY / NO OUTPUT>

**NB; Could you explaine to me what is R, P, FP, S & . ; means in the output result please

Thanks

DaK

Hello Davy,

We can see that there are no drops by the ASA (Capture ASP is empty) now on the Printer_Capture we can see there are some regular ack packets but also we can see a reset (R) :

P0 10.10.1.198.80 > 10.10.44.50.55161: R 3670904924:3670904924(0) win 0

So the communication is being ended by that particular reset packet, you will need to do a capture on the PC with wireshark to check if the compture is the one sending the reset or if its the Printer.

I think that will lead us to the bottom of this issue.

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: