03-01-2009 10:58 PM - edited 02-21-2020 03:19 AM
Hi,
I have a trick case with a ASA 5520 and a intranet in Internet Explorer. There is a picture, flash and document manager and the trafic get blocked when using IE, but not in Firefox. The intranet is using port 80. Anyone else seen something like this?
03-01-2009 11:20 PM
Most probably the issue is not with the firewall (ASA) and the real issue lies in the browser settings.
Regards
Farrukh
03-01-2009 11:29 PM
Hi,
Thanks for your quick replay.
I tought so to but the intranet is funktion quite well outside the network ex. from my home net. And i get an Access Denied in the ASA logg on traffic to the intranet when i use IE inside my net, but strangely not in Firefox.
03-01-2009 11:46 PM
Please give more details about the topology, configuration/inspections enabled on the ASA.
Regards
Farrukh
03-02-2009 12:04 AM
Http inspection has default settings.
Her are the message i get in tha ASA logg when using IE.
Deny TCP (no connection) from x.x.x.x/2997 to x.x.x.x/80 flags ACK on interface Innside
Deny TCP (no connection) from x.x.x.x/2997 to x.x.x.x/80 flags FIN ACK on interface Innside
Teardown TCP connection 197682186 for Internett:x.x.x.x/80 to Innside:x.x.x.x/2997 duration 0:00:28 bytes 304213 Flow closed by inspection
Access denied URL SRC x.x.x.x DEST x.x.x.x on interface Innside
This is regular http traffic and it is working in Firefox from the same pc and settings.
03-02-2009 12:22 AM
The logs seem to come from the Internet and not the Intranet?
Regards
Farrukh
03-02-2009 12:35 AM
This message comes from the webserver hosting the intranet.
Teardown TCP connection 197682186 for Internett:x.x.x.x/80 to Innside:x.x.x.x/2997 duration 0:00:28 bytes 304213 Flow closed by inspection
I can't understand why inspection is closing the connection when IE is used, but works in FF. Maybe it is something in the way browser handlling the site and is there anything we can set in ASA to prevent/allow this?
03-02-2009 01:07 AM
I'm still not clear with your topology.
On which zone is your web server? "Internett" zone? From where are you testing ? LAN = "Innside"?
Which version of ASA are you running?
What do you have under IE:
IE >> Tools >> Advanced >> HTTP 1.1 Settings
Regards
farrukh
03-02-2009 01:27 AM
The webserver are not in "my net". We are delivering applications via Citrix to our users. I am testing this from my inside, with the same setting the users have.
So the traffic are like this:
Terminal Server -> ASA -> Internet -> Webserver
ASA version: ASA 5520 with image asa721-k8
And we are using http 1.1 settings
03-02-2009 01:52 AM
Can you try permitting this 'return' traffic or disabling the HTTP inspection to test this out?
03-02-2009 04:38 AM
Hi again,
I am not very experienced with ASA, so how would turning of http inspection affect the rest of the traffic?
03-02-2009 05:37 AM
Disabling should not affect other traffic, but just to be on the safe side you can just disable it for your specific server, please have a look at:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008085283d.shtml
Regards
Farrukh
03-03-2009 05:24 AM
Hi,
Have tried the suggested solutions, but still same errors in the asa log. I have tried with a new asa 5505 with default settings and there it is working, the only differens is that it is a newer image on the 5505 (7.2(2))
Best Regards
03-03-2009 05:31 AM
Can you post the output of the following command from both boxes:
show run all policy-map
show run service-policy
Then on the troublesome box,
clear asp drop
immediately test the problematic server connection via IE, then paste output of
show asp drop
Regards
Farrukh
03-03-2009 06:10 AM
Hi, Farrukh,
Will do that tomorrow, thanks for your replay.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide