Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1514
Views
0
Helpful
9
Replies

I can ping sites but not browse the Internet

servicioit
Level 1
Level 1

‎05-04-2017 09:05 AM - edited ‎03-12-2019 02:19 AM

Hi,

I have an ASA 5505 and I can ping to 8.8.8.8 and ping to any sites like www.google.es, but I cannot browse the internet

In the log I can see:

Deny TCP (no connection) from 192.168.1.199/49364 to 62.128.100.161/443 flags RST on interface outside

Thanks in advance.

This is my configuration:

names
!
interface Ethernet0/0
 switchport access vlan 100
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.20.100.200 255.255.0.0
!
interface Vlan100
 nameif outside
 security-level 0
 ip address 192.168.1.200 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object-group service DM_INLINE_SERVICE_1
 service-object ip
 service-object udp
 service-object tcp
 service-object tcp destination eq www
 service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object udp
 service-object tcp
 service-object tcp destination eq www
 service-object tcp destination eq https
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any any
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (outside,inside) dynamic interface
access-group inside_access_in_1 in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 172.20.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 172.20.100.204-172.20.101.75 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:965268bd0f8d4c4741847c9ad301c635
: end

Labels:
0 Helpful
9 Replies 9

Ricky Sandhu
Level 3
Level 3

‎05-04-2017 09:10 AM

I am by no means an ASA Guru but shouldn't you be inspecting HTTP traffic?  Or does it automatically get matched as part of the class-map inspection_default?

0 Helpful

servicioit
Level 1
Level 1
In response to Ricky Sandhu

‎05-04-2017 09:31 AM

Attached the defautl inspections

Preview file
27 KB
0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to servicioit

‎05-04-2017 10:28 AM

Your NAT interfaces are backwards. Should be

object network obj_any
 nat (inside,outside) dynamic interface 

You can and should remove the ACL applied ot the outside interface. The ASA is stateful and will create pinholes back in to allow traffic.

You can see where it is failing with the following command-

packet-tracer input inside tcp 172.20.100.5 3943 8.8.8.8 80 detail

0 Helpful

servicioit
Level 1
Level 1
In response to Collin Clark

‎05-04-2017 12:04 PM

I need  the ACL from outside to inside because I need to reach a captive portal on 172.20.100.2 from 192.168.1.99 (computer)

So I reach this captive portal but I cannot surf internet after I authenticate succesfully in the captive portal although I can ping www.google.es after authenticate

do you have any ideas?

Thanks

0 Helpful

Akhil.Balachandran
Level 1
Level 1
In response to servicioit

‎05-04-2017 12:33 PM

If i understand the topology correct, you have a user (192.168.1.199) on the outside, who is being authenticated VIA captive portal using an internal machine(172.20.100.2) for internet access. Please correct me if i am wrong.

Do you see the initial authentication connection from the .119 machine to .2 on the ASA ?  Run the command " show conn  | in 172.20.100.2 ".

Do the internal subnet 172.20.0.0/16 have issue accessing the internet ?

Run the below capture command on the outside interface:

capture out interface outside match icmp any host 8.8.8.8

initiate ping to 8.8.8.8 after the user is authenticated and  take the output of 

show capture out

Also, please paste the logs prior to the Deny (No TCP connection)

Regards

Akhil

0 Helpful

servicioit
Level 1
Level 1
In response to Akhil.Balachandran

‎05-05-2017 03:23 AM

Hi Akhil.

Thanks for your help.

You are right. My user is on 192.168.1.199 Gw 192.168.1.200 and my captive portal is  on 172.20.100.2 and my asa interface inside is on 172.20.100.200/16 and my interface outside is on 192.168.1.200/24

Do you see the initial authentication connection from the .119 machine to .2 on the ASA ?  Run the command " show conn  | in 172.20.100.2 ".

If I run sh con

UDP outside  8.8.8.8:53 outside  192.168.1.199:58282, idle 0:00:27, bytes 30, flags -
UDP outside  8.8.8.8:53 outside  192.168.1.199:60564, idle 0:00:27, bytes 30, flags -
UDP outside  8.8.8.8:53 outside  192.168.1.199:55531, idle 0:00:27, bytes 30, flags -
UDP outside  8.8.8.8:53 outside  192.168.1.199:58089, idle 0:00:27, bytes 30, flags -
UDP outside  8.8.8.8:53 outside  192.168.1.199:51813, idle 0:00:27, bytes 30, flags -
UDP outside  8.8.8.8:53 outside  192.168.1.199:64212, idle 0:00:28, bytes 41, flags -
UDP outside  8.8.8.8:53 outside  192.168.1.199:57634, idle 0:00:31, bytes 29, flags -
UDP outside  8.8.8.8:53 outside  192.168.1.199:64760, idle 0:00:31, bytes 32, flags -
TCP outside  172.20.100.200(192.168.1.199):65069 inside  172.20.100.2:8880, idle 0:00:18, bytes 3007, flags UfrxIOB
TCP outside  172.20.100.200(192.168.1.199):65040 inside  172.20.0.122:13000, idle 0:03:38, bytes 423463, flags UxIOB

Do the internal subnet 172.20.0.0/16 have issue accessing the internet

Yes, this is my problem. The internal subnet (172.20.0.0/16) cannot acces to the internet

initiate ping to 8.8.8.8 after the user is authenticated and  take the output of 

show capture out

ciscoasa# show capture out

12 packets captured

   1: 00:00:36.174475       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   2: 00:00:36.174673       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   3: 00:00:37.174032       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   4: 00:00:37.174063       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   5: 00:00:38.172308       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   6: 00:00:38.172339       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   7: 00:00:39.170080       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   8: 00:00:39.170111       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
   9: 00:00:50.669505       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
  10: 00:00:50.669719       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
  11: 00:00:51.663112       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
  12: 00:00:51.663143       802.1Q vlan#100 P0 192.168.1.199 > 8.8.8.8: icmp: echo request
12 packets shown

please paste the logs prior to the Deny (No TCP connection)

4|May 05 2017|00:04:41|733100|||||[ Scanning] drop rate-2 exceeded. Current burst rate is 3 per second, max configured rate is 8; Current average rate is 50 per second, max configured rate is 4; Cumulative total count is 180400
4|May 05 2017|00:04:41|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 23 per second, max configured rate is 10; Current average rate is 50 per second, max configured rate is 5; Cumulative total count is 30222
6|May 05 2017|00:04:27|302014|192.168.1.199|65160|193.110.128.109|80|Teardown TCP connection 34951 for outside:192.168.1.199/65160 to outside:193.110.128.109/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:27|302013|192.168.1.199|65160|193.110.128.109|80|Built inbound TCP connection 34951 for outside:192.168.1.199/65160 (192.168.1.199/65160) to outside:193.110.128.109/80 (193.110.128.109/80)
6|May 05 2017|00:04:25|106015|192.168.1.199|65160|193.110.128.109|80|Deny TCP (no connection) from 192.168.1.199/65160 to 193.110.128.109/80 flags RST  on interface outside
6|May 05 2017|00:04:21|106015|192.168.1.199|65160|193.110.128.109|80|Deny TCP (no connection) from 192.168.1.199/65160 to 193.110.128.109/80 flags RST  on interface outside
4|May 05 2017|00:04:21|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 22 per second, max configured rate is 10; Current average rate is 50 per second, max configured rate is 5; Cumulative total count is 30237
6|May 05 2017|00:04:21|302014|192.168.1.199|65160|193.110.128.109|80|Teardown TCP connection 34950 for outside:192.168.1.199/65160 to outside:193.110.128.109/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:21|302013|192.168.1.199|65160|193.110.128.109|80|Built inbound TCP connection 34950 for outside:192.168.1.199/65160 (192.168.1.199/65160) to outside:193.110.128.109/80 (193.110.128.109/80)
6|May 05 2017|00:04:20|106015|192.168.1.199|65158|195.122.177.165|443|Deny TCP (no connection) from 192.168.1.199/65158 to 195.122.177.165/443 flags RST  on interface outside
6|May 05 2017|00:04:19|106015|192.168.1.199|65160|193.110.128.109|80|Deny TCP (no connection) from 192.168.1.199/65160 to 193.110.128.109/80 flags RST  on interface outside
6|May 05 2017|00:04:18|302014|192.168.1.199|65160|193.110.128.109|80|Teardown TCP connection 34949 for outside:192.168.1.199/65160 to outside:193.110.128.109/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:18|302013|192.168.1.199|65160|193.110.128.109|80|Built inbound TCP connection 34949 for outside:192.168.1.199/65160 (192.168.1.199/65160) to outside:193.110.128.109/80 (193.110.128.109/80)
6|May 05 2017|00:04:17|106015|192.168.1.199|65158|195.122.177.165|443|Deny TCP (no connection) from 192.168.1.199/65158 to 195.122.177.165/443 flags RST  on interface outside
6|May 05 2017|00:04:15|106015|192.168.1.199|65157|195.122.177.147|443|Deny TCP (no connection) from 192.168.1.199/65157 to 195.122.177.147/443 flags RST  on interface outside
6|May 05 2017|00:04:14|106015|192.168.1.199|65158|195.122.177.165|443|Deny TCP (no connection) from 192.168.1.199/65158 to 195.122.177.165/443 flags RST  on interface outside
6|May 05 2017|00:04:12|106015|192.168.1.199|65157|195.122.177.147|443|Deny TCP (no connection) from 192.168.1.199/65157 to 195.122.177.147/443 flags RST  on interface outside
6|May 05 2017|00:04:11|106015|192.168.1.199|65158|195.122.177.165|443|Deny TCP (no connection) from 192.168.1.199/65158 to 195.122.177.165/443 flags RST  on interface outside
6|May 05 2017|00:04:11|302014|192.168.1.199|65158|195.122.177.165|443|Teardown TCP connection 34948 for outside:192.168.1.199/65158 to outside:195.122.177.165/443 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:11|302013|192.168.1.199|65158|195.122.177.165|443|Built inbound TCP connection 34948 for outside:192.168.1.199/65158 (192.168.1.199/65158) to outside:195.122.177.165/443 (195.122.177.165/443)
6|May 05 2017|00:04:09|106015|192.168.1.199|65157|195.122.177.147|443|Deny TCP (no connection) from 192.168.1.199/65157 to 195.122.177.147/443 flags RST  on interface outside
6|May 05 2017|00:04:08|106015|192.168.1.199|65158|195.122.177.165|443|Deny TCP (no connection) from 192.168.1.199/65158 to 195.122.177.165/443 flags RST  on interface outside
6|May 05 2017|00:04:06|302014|192.168.1.199|65157|195.122.177.147|443|Teardown TCP connection 34943 for outside:192.168.1.199/65157 to outside:195.122.177.147/443 duration 0:00:09 bytes 0 TCP Reset-O
6|May 05 2017|00:04:06|302014|192.168.1.199|65156|193.110.128.109|80|Teardown TCP connection 34947 for outside:192.168.1.199/65156 to outside:193.110.128.109/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:06|302013|192.168.1.199|65156|193.110.128.109|80|Built inbound TCP connection 34947 for outside:192.168.1.199/65156 (192.168.1.199/65156) to outside:193.110.128.109/80 (193.110.128.109/80)
6|May 05 2017|00:04:05|106015|192.168.1.199|65158|195.122.177.165|443|Deny TCP (no connection) from 192.168.1.199/65158 to 195.122.177.165/443 flags RST  on interface outside
6|May 05 2017|00:04:05|302014|192.168.1.199|65158|195.122.177.165|443|Teardown TCP connection 34946 for outside:192.168.1.199/65158 to outside:195.122.177.165/443 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:05|302013|192.168.1.199|65158|195.122.177.165|443|Built inbound TCP connection 34946 for outside:192.168.1.199/65158 (192.168.1.199/65158) to outside:195.122.177.165/443 (195.122.177.165/443)
6|May 05 2017|00:04:02|302014|192.168.1.199|65158|195.122.177.165|443|Teardown TCP connection 34945 for outside:192.168.1.199/65158 to outside:195.122.177.165/443 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:02|302013|192.168.1.199|65158|195.122.177.165|443|Built inbound TCP connection 34945 for outside:192.168.1.199/65158 (192.168.1.199/65158) to outside:195.122.177.165/443 (195.122.177.165/443)
4|May 05 2017|00:04:01|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 26 per second, max configured rate is 10; Current average rate is 50 per second, max configured rate is 5; Cumulative total count is 30172
6|May 05 2017|00:04:00|106015|192.168.1.199|65156|193.110.128.109|80|Deny TCP (no connection) from 192.168.1.199/65156 to 193.110.128.109/80 flags RST  on interface outside
6|May 05 2017|00:04:00|302014|192.168.1.199|65156|193.110.128.109|80|Teardown TCP connection 34944 for outside:192.168.1.199/65156 to outside:193.110.128.109/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:04:00|302013|192.168.1.199|65156|193.110.128.109|80|Built inbound TCP connection 34944 for outside:192.168.1.199/65156 (192.168.1.199/65156) to outside:193.110.128.109/80 (193.110.128.109/80)
6|May 05 2017|00:03:58|106015|192.168.1.199|65156|193.110.128.109|80|Deny TCP (no connection) from 192.168.1.199/65156 to 193.110.128.109/80 flags RST  on interface outside
6|May 05 2017|00:03:57|302014|192.168.1.199|65156|193.110.128.109|80|Teardown TCP connection 34942 for outside:192.168.1.199/65156 to outside:193.110.128.109/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 05 2017|00:03:57|302013|192.168.1.199|65157|195.122.177.147|443|Built inbound TCP connection 34943 for outside:192.168.1.199/65157 (192.168.1.199/65157) to outside:195.122.177.147/443 (195.122.177.147/443)
6|May 05 2017|00:03:57|302013|192.168.1.199|65156|193.110.128.109|80|Built inbound TCP connection 34942 for outside:192.168.1.199/65156 (192.168.1.199/65156) to outside:193.110.128.109/80 (193.110.128.109/80)
6|May 05 2017|00:03:56|305012|192.168.1.199|65147|172.20.100.200|65147|Teardown dynamic TCP translation from outside:192.168.1.199/65147 to inside:172.20.100.200/65147 duration 0:00:06
6|May 05 2017|00:03:56|302014|192.168.1.199|65147|172.20.100.2|8880|Teardown TCP connection 34940 for outside:192.168.1.199/65147 to inside:172.20.100.2/8880 duration 0:00:06 bytes 2194 TCP FINs
6|May 05 2017|00:03:56|302013|192.168.1.199|65150|172.20.100.2|8880|Built inbound TCP connection 34941 for outside:192.168.1.199/65150 (172.20.100.200/65150) to inside:172.20.100.2/8880 (172.20.100.2/8880)
6|May 05 2017|00:03:56|305011|192.168.1.199|65150|172.20.100.200|65150|Built dynamic TCP translation from outside:192.168.1.199/65150 to inside:172.20.100.200/65150
6|May 05 2017|00:03:50|302013|192.168.1.199|65147|172.20.100.2|8880|Built inbound TCP connection 34940 for outside:192.168.1.199/65147 (172.20.100.200/65147) to inside:172.20.100.2/8880 (172.20.100.2/8880)
6|May 05 2017|00:03:50|305011|192.168.1.199|65147|172.20.100.200|65147|Built dynamic TCP translation from outside:192.168.1.199/65147 to inside:172.20.100.200/65147
6|May 05 2017|00:03:49|302015|192.168.1.199|55720|8.8.8.8|53|Built inbound UDP connection 34939 for outside:192.168.1.199/55720 (192.168.1.199/55720) to outside:8.8.8.8/53 (8.8.8.8/53)
6|May 05 2017|00:03:49|302015|192.168.1.199|59800|8.8.8.8|53|Built inbound UDP connection 34938 for outside:192.168.1.199/59800 (192.168.1.199/59800) to outside:8.8.8.8/53 (8.8.8.8/53)
6|May 05 2017|00:03:49|302015|192.168.1.199|53363|8.8.8.8|53|Built inbound UDP connection 34937 for outside:192.168.1.199/53363 (192.168.1.199/53363) to outside:8.8.8.8/53 (8.8.8.8/53)
6|May 05 2017|00:03:49|302015|192.168.1.199|54153|8.8.8.8|53|Built inbound UDP connection 34936 for outside:192.168.1.199/54153 (192.168.1.199/54153) to outside:8.8.8.8/53 (8.8.8.8/53)
6|May 05 2017|00:03:42|302014|192.168.1.199|65124|13.107.5.80|80|Teardown TCP connection 34921 for outside:192.168.1.199/65124 to outside:13.107.5.80/80 duration 0:00:30 bytes 0 SYN Timeout
4|May 05 2017|00:03:41|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 25 per second, max configured rate is 10; Current average rate is 50 per second, max configured rate is 5; Cumulative total count is 30193
6|May 05 2017|00:03:41|302014|172.20.100.2|59304|172.20.100.200|443|Teardown TCP connection 34928 for inside:172.20.100.2/59304 to identity:172.20.100.200/443 duration 0:00:26 bytes 595 TCP FINs
6|May 05 2017|00:03:41|302014|172.20.100.2|59308|172.20.100.200|443|Teardown TCP connection 34930 for inside:172.20.100.2/59308 to identity:172.20.100.200/443 duration 0:00:26 bytes 441 TCP FINs
6|May 05 2017|00:03:41|302014|172.20.100.2|59310|172.20.100.200|443|Teardown TCP connection 34931 for inside:172.20.100.2/59310 to identity:172.20.100.200/443 duration 0:00:26 bytes 579 TCP FINs
4|May 05 2017|00:03:21|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 26 per second, max configured rate is 10; Current average rate is 50 per second, max configured rate is 5; Cumulative total count is 30167
6|May 05 2017|00:03:18|305012|192.168.1.199|65132|172.20.100.200|65132|Teardown dynamic TCP translation from outside:192.168.1.199/65132 to inside:172.20.100.200/65132 duration 0:00:00
6|May 05 2017|00:03:18|302014|192.168.1.199|65132|172.20.0.122|13000|Teardown TCP connection 34935 for outside:192.168.1.199/65132 to inside:172.20.0.122/13000 duration 0:00:00 bytes 17680 TCP FINs
6|May 05 2017|00:03:18|302013|192.168.1.199|65132|172.20.0.122|13000|Built inbound TCP connection 34935 for outside:192.168.1.199/65132 (172.20.100.200/65132) to inside:172.20.0.122/13000 (172.20.0.122/13000)
6|May 05 2017|00:03:18|305011|192.168.1.199|65132|172.20.100.200|65132|Built dynamic TCP translation from outside:192.168.1.199/65132 to inside:172.20.100.200/65132
6|May 05 2017|00:03:16|305012|192.168.1.199|65131|172.20.100.200|65131|Teardown dynamic TCP translation from outside:192.168.1.199/65131 to inside:172.20.100.200/65131 duration 0:00:00
6|May 05 2017|00:03:16|302014|192.168.1.199|65131|172.20.0.122|13000|Teardown TCP connection 34934 for outside:192.168.1.199/65131 to inside:172.20.0.122/13000 duration 0:00:00 bytes 0 TCP FINs
6|May 05 2017|00:03:16|302013|192.168.1.199|65131|172.20.0.122|13000|Built inbound TCP connection 34934 for outside:192.168.1.199/65131 (172.20.100.200/65131) to inside:172.20.0.122/13000 (172.20.0.122/13000)
6|May 05 2017|00:03:16|305011|192.168.1.199|65131|172.20.100.200|65131|Built dynamic TCP translation from outside:192.168.1.199/65131 to inside:172.20.100.200/65131
6|May 05 2017|00:03:14|302015|192.168.1.199|64843|8.8.8.8|53|Built inbound UDP connection 34933 for outside:192.168.1.199/64843 (192.168.1.199/64843) to outside:8.8.8.8/53 (8.8.8.8/53)
6|May 05 2017|00:03:14|106015|172.20.100.2|59314|172.20.100.200|443|Deny TCP (no connection) from 172.20.100.2/59314 to 172.20.100.200/443 flags FIN ACK  on interface inside
6|May 05 2017|00:03:14|302014|172.20.100.2|59314|172.20.100.200|443|Teardown TCP connection 34932 for inside:172.20.100.2/59314 to identity:172.20.100.200/443 duration 0:00:00 bytes 1465 TCP Reset-O
6|May 05 2017|00:03:14|725007|172.20.100.2|59314|||SSL session with client inside:172.20.100.2/59314 terminated.
6|May 05 2017|00:03:14|605005|172.20.100.2|59314|172.20.100.200|https|Login permitted from 172.20.100.2/59314 to inside:172.20.100.200/https for user "enable_15"
6|May 05 2017|00:03:14|725002|172.20.100.2|59314|||Device completed SSL handshake with client inside:172.20.100.2/59314
6|May 05 2017|00:03:14|725003|172.20.100.2|59314|||SSL client inside:172.20.100.2/59314 request to resume previous session.
6|May 05 2017|00:03:14|725001|172.20.100.2|59314|||Starting SSL handshake with client inside:172.20.100.2/59314 for TLS session.
6|May 05 2017|00:03:14|302013|172.20.100.2|59314|172.20.100.200|443|Built inbound TCP connection 34932 for inside:172.20.100.2/59314 (172.20.100.2/59314) to identity:172.20.100.200/443 (172.20.100.200/443)
6|May 05 2017|00:03:14|725007|172.20.100.2|59310|||SSL session with client inside:172.20.100.2/59310 terminated.
6|May 05 2017|00:03:14|605005|172.20.100.2|59310|172.20.100.200|https|Login permitted from 172.20.100.2/59310 to inside:172.20.100.200/https for user "enable_15"
6|May 05 2017|00:03:14|725002|172.20.100.2|59310|||Device completed SSL handshake with client inside:172.20.100.2/59310
6|May 05 2017|00:03:14|725003|172.20.100.2|59310|||SSL client inside:172.20.100.2/59310 request to resume previous session.
6|May 05 2017|00:03:14|725001|172.20.100.2|59310|||Starting SSL handshake with client inside:172.20.100.2/59310 for TLS session.
6|May 05 2017|00:03:14|725007|172.20.100.2|59308|||SSL session with client inside:172.20.100.2/59308 terminated.
6|May 05 2017|00:03:14|302013|172.20.100.2|59310|172.20.100.200|443|Built inbound TCP connection 34931 for inside:172.20.100.2/59310 (172.20.100.2/59310) to identity:172.20.100.200/443 (172.20.100.200/443)
6|May 05 2017|00:03:14|605005|172.20.100.2|59308|172.20.100.200|https|Login permitted from 172.20.100.2/59308 to inside:172.20.100.200/https for user "enable_15"
6|May 05 2017|00:03:14|725002|172.20.100.2|59308|||Device completed SSL handshake with client inside:172.20.100.2/59308
6|May 05 2017|00:03:14|725003|172.20.100.2|59308|||SSL client inside:172.20.100.2/59308 request to resume previous session.
6|May 05 2017|00:03:14|725001|172.20.100.2|59308|||Starting SSL handshake with client inside:172.20.100.2/59308 for TLS session.
6|May 05 2017|00:03:14|725007|172.20.100.2|59306|||SSL session with client inside:172.20.100.2/59306 terminated.
6|May 05 2017|00:03:14|302013|172.20.100.2|59308|172.20.100.200|443|Built inbound TCP connection 34930 for inside:172.20.100.2/59308 (172.20.100.2/59308) to identity:172.20.100.200/443 (172.20.100.200/443)
6|May 05 2017|00:03:14|106015|172.20.100.2|59306|172.20.100.200|443|Deny TCP (no connection) from 172.20.100.2/59306 to 172.20.100.200/443 flags FIN ACK  on interface inside
6|May 05 2017|00:03:14|302014|172.20.100.2|59306|172.20.100.200|443|Teardown TCP connection 34929 for inside:172.20.100.2/59306 to identity:172.20.100.200/443 duration 0:00:00 bytes 393 TCP Reset-O
5|May 05 2017|00:03:14|111010|||||User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'dir disk0:/dap.xml'
5|May 05 2017|00:03:14|111008|||||User 'enable_15' executed the 'dir disk0:/dap.xml' command.
6|May 05 2017|00:03:14|605005|172.20.100.2|59306|172.20.100.200|https|Login permitted from 172.20.100.2/59306 to inside:172.20.100.200/https for user "enable_15"
6|May 05 2017|00:03:14|725002|172.20.100.2|59306|||Device completed SSL handshake with client inside:172.20.100.2/59306
6|May 05 2017|00:03:14|725003|172.20.100.2|59306|||SSL client inside:172.20.100.2/59306 request to resume previous session.
6|May 05 2017|00:03:14|725001|172.20.100.2|59306|||Starting SSL handshake with client inside:172.20.100.2/59306 for TLS session.
6|May 05 2017|00:03:14|725007|172.20.100.2|59304|||SSL session with client inside:172.20.100.2/59304 terminated.
6|May 05 2017|00:03:14|302013|172.20.100.2|59306|172.20.100.200|443|Built inbound TCP connection 34929 for inside:172.20.100.2/59306 (172.20.100.2/59306) to identity:172.20.100.200/443 (172.20.100.200/443)
6|May 05 2017|00:03:14|605005|172.20.100.2|59304|172.20.100.200|https|Login permitted from 172.20.100.2/59304 to inside:172.20.100.200/https for user "enable_15"
6|May 05 2017|00:03:14|725002|172.20.100.2|59304|||Device completed SSL handshake with client inside:172.20.100.2/59304
6|May 05 2017|00:03:14|302014|172.20.100.2|59302|172.20.100.200|443|Teardown TCP connection 34927 for inside:172.20.100.2/59302 to identity:172.20.100.200/443 duration 0:00:00 bytes 10070 TCP Reset-O
6|May 05 2017|00:03:14|725003|172.20.100.2|59304|||SSL client inside:172.20.100.2/59304 request to resume previous session.
6|May 05 2017|00:03:14|725001|172.20.100.2|59304|||Starting SSL handshake with client inside:172.20.100.2/59304 for TLS session.
6|May 05 2017|00:03:14|725007|172.20.100.2|59302|||SSL session with client inside:172.20.100.2/59302 terminated.

0 Helpful

Akhil.Balachandran
Level 1
Level 1
In response to servicioit

‎05-05-2017 05:24 AM

Thanks for the output.


From the captures, i see that the echo request is going out, but there is no echo reply seen on the ASA. From the earlier post ,i believe the pings work. 

This looks like an issue with asymmetric routing.  Ideally, the ASA should have seen both the echo request and echo reply.But in this case, AsA is only seeing the echo request, but the pings still succeeds which proves that there might be some asymmetric routing, where in the upstream device is sending the traffic directly over to the host machine, instead of sending it VIA the ASA.

The reason, the pings works is because it is a stateless connection, ASA does not keep track of ICMP connection (this can be changed by enabling icmp inspection).  However, TCP connection is stateful, ASA has to see the full flow (SYN,SYNACK, ACK) to built a connection successfully. 

Logs TCP connections when the .199 machine tries to go out to the internet, but it times out, probably because there is no reply coming back to the ASA 

0|Teardown TCP connection 34921 for outside:192.168.1.199/65124 to outside:13.107.5.80/80 duration 0:00:30 bytes 0 SYN Timeout

Try the below Nat statements and let me know if it works,

Object network obj_172.16
subnet 172.20.0.0 255.255.0.0
nat (inside,outside) dynamic interface

object network obj_192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (outside,outside) dynamic interface.

The 192.168.1.0 nat is to check if the reply traffic is sent back to the ASA instead of the machine 192.168.1.199

Regards

Akhil

0 Helpful

servicioit
Level 1
Level 1
In response to Akhil.Balachandran

‎05-05-2017 06:56 AM

Hi Akhil

Thanks for your response.

I put your two rules and the portal captive is not reachable now.

So, I change the first nat rule from inside to inside and everything works OK.

Now, I deleted my old nat rule from inside to outside and everytihing is still working.

I don't understand why, but with these new rules I can reach captive portal and I can authenticate and I can surf to the Internet. Just what I needed......

object network obj_172.16
 nat (inside,inside) dynamic interface
object network obj_192.168.1.0
 nat (outside,outside) dynamic interface

Do you thing this configuration is correct?

Thanks a lot....

0 Helpful

Akhil.Balachandran
Level 1
Level 1
In response to servicioit

‎05-08-2017 05:54 AM

Hi

That's strange.  Can you remove the Nat (inside, inside) and let me know if everything still works. 

I dont see a reason why you require the inside, inside nat. Is there any traffic hair pining or  on the inside interface ?

Regards

Akhil

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card