Http Connection on Lan Interface

avburren1 · ‎05-27-2011

Hi,

I am replacing an old Fw with a New ASA 5510 and I have a problem with a TCP Connection on My LAN Interface
I joined a picture of what I want to do.

I create an ACL to be sure traffic on the FW is allowed :
LAN_access_in extended permit ip 192.168.0.0 255.255.248.0 any
                                                    192.168.3.0 255.255.255.0
                                                    192.168.4.0 255.255.255.0
                                                    192.168.5.0 255.255.255.0

From the PC,I can Ping the Video Camera But I can't connect to it with HTTP.I don't understand, Packet Tracert allow the Http packet too.

Here is the Whireshark Frames captured on the PC :

With the Old Firewall, TCP connection is ok :

192.168.1.121 192.168.4.20   TCP 49953 > HTTP [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
192.168.1.254 192.168.1.121 ICMP 49953 Redirect (Redirect For Host)
192.168.1.4.20 192.168.1.121 TCP http > 49953[SYN, ACK] Seq=0 ACK=1 Win=5840 Len=0 MSS=1460 WS=1
192.168.1.121 192.168.4.20   TCP 49953 > HTTP [ACK] Seq=1 ACK=1 Win=65700 Len=0
192.168.1.121 192.168.4.20   TCP [TCP segment of a reassembled PDU]

With the ASA, TCP connection doesn't work :

192.168.1.121 192.168.4.20   TCP qsm-gui > HTTP [RST] Seq=1 Win=0 Len=0
192.168.1.121 192.168.4.20   TCP qsm-remote > HTTP [RST] Seq=1 Win=0 Len=0
192.168.1.121 192.168.4.20   TCP mc_client > HTTP [SYN] Seq=0 Win=65535 Len=0 MSS=1460
192.168.1.121 192.168.4.20   TCP [TCP Port Numbers reused] mc_client > http [SYN] Seq=0 win=65535 Len=0 MSS=1380

ADSM logs show :

106015# Deny TCP (no connection) from ip1 to ip2 Flags RST on Interface LAN.
The adaptive security appliance discarded a TCP Packet that has no Associated connection in the adaptive security
appliance Connection table.

Any Ideas? Thank You

Allen P Chen · ‎05-27-2011

Hello,

In looking at your diagram, is the 192.168.1.121 host connected directly to the ASA's LAN interface? Shouldn't it be connected to the switch?

Why don't you change the default gateway of the 192.168.1.121 host to the layer 3 interface on the switch (192.168.1.229), and allow the switch to route the traffic from the 192.168.1.121 to the 192.168.4.20? That way, the ASA is not involved at all since all the routing is done on the switch.

Otherwise, you might need the command "same-security-traffic permit intra-interface" on the ASA, since the ASA has to u-turn that traffic. By default, the ASA does not allow traffic to enter and exit the same interface.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1392814

Also, not sure where there are five octets in the source IP here:

192.168.1.4.20 192.168.1.121 TCP http > 49953[SYN, ACK] Seq=0 ACK=1 Win=5840 Len=0 MSS=1460 WS=1

Hope this helps.

avburren1 · ‎05-29-2011

Yes 192.168.1.121 is connected to a Switch.
I can't change the default Gateway. Some PC must have 1.229 gateway, some Other must have ASA lan interface gateway.
It worked with the Old Fw so Something must be missing in my ASA configuration ..

I've already enabled the command "same-security-traffic permit intra-interface" on the ASA.

192.168.1.4.20 is a mistake Sorry , I wanted to say : "192.168.4.20".

Any other ideas?

Thank You

Edward Dutra · ‎05-29-2011

The ICMP redirects are suspect. Lets see what the traffic looks like when going to the ASA. How about collecting captures off the ASA to see whats happening. If youre not familiar with capturing packets on the ASA, refer to the doc here:

https://supportforums.cisco.com/docs/DOC-1222

avburren1 · ‎05-30-2011

I have already collecting captures of the ASA beween 192.168.1.x to 192.168.4.20 using ASDM Capture Wizard.
I joined The log with this message.
I can't choose two times the LAN Interface for Ingress and Egress Traffic. So i only capture packets for Ingress Interface. I set other values for egress interface to achieve the command.

avburren1 · ‎06-01-2011

I'am analysing the frames when it works and when it doesn't work. There is one parameters that change : " Windows Scale ".

192.168.1.121 192.168.4.20 TCP 49741 > http [SYN] Seq=0 win 8192 Len=0 MSS=1460 WS=2

192.168.1.254 192.168.1.121 (ICMP Redirect for Host)

192.168.4.20 192.168.1.121 TCP http > 49741 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=1

In the Frame Detail :

Windows Scale :2 ( multiply by 4 )

I don't have this parameters in the frame when it doesn't work :

192.168.1.121 192.168.4.20 TCP l2f > http [SYN] Seq=0 win 65535 Len=0 MSS=1460

192.168.4.20 192.168.1.121 TCP [TCP Acked Lost Segment] Http > l2f [SYN,ACK] Seq=0 Ack= 1278274611 win=5840 Len=0 MSS=1460

Is it a possibility that the ASA Block the windows Scale option ?

Thank You.

avburren1 · ‎06-06-2011

I always have the problem.Does Anyone have answers ?

Thanks

avburren1 · ‎06-06-2011

Other ideas :

It seems like it is searching for a port it can use but can't connect to it, imidiately trying it again on a port that are one numer higher.

When It Works The Ports used by the PC are Dynamic/Private : 49152 through 65535.

With the ASA, it seems to used the Registered Ports.

Here is a Cisco User with a similar problem :

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24492001.html