Issue With Cisco 5505 not letting data outside.

fostaerou · ‎03-10-2013

I run a dedicated server behind a Cisco 5505, I'm quite new to hardware firewalling and still learning.

The current issue I am having is I am running an application that uses the extrenal IP address to send data from a MySQL database out to clients as they connect and log in from their PC's, the problem I am having is something seems to be blocking data being sent properly outside from outside requests, whena client logs in to their account, it loads fine and accepts the login, but then when the server process requests the MySQL data and the information for what is stored on their account(such a in game characters) seems to not be sent out and so the client sees their account as empty, not alloing them to progress further.

Upon further testing I also noticed that the FTP I am running has the same issue, I can send a request and it goes through,. however the server denies as it will not send anything abck out to the ftp client, so far the only way I have been able to get both my server application and the ftp to properly function is by routing them via VPN through LogMeIn Hamachi, running both on the Hamachi IP address seems to resolve the issue but this is not ideal, this free VPN service is not as fast or as stable as my actual server network and also requires extra work by client to set up Hamachi on their PC's and enter my Hamachi "room" in order to connect.

So does any more knowledgable person on here know what may be causing my issue and anything I could do to work around it not using such a service as Hamachi so I can get back to using my normal Server IP address, if any additional info on my setup is needed just ask and I'll post it as required.

Thank you in advance for any help.

Jouni Forss · ‎03-11-2013

Hi,

Would really need to see the firewall configurations to determine what the problem could be.

Naturally would need TCP / UDP port information on what connections need to be formed through the firewall. And in those cases would need to know which side open the connection.

I can only guess that you are using a single IP address (which is also the ASA "outside") to Port Forward services to the server?

One common problem regarding the FTP through ASA is when the "inspect ftp" is not set on the ASA. With the "inspect ftp" ASA will know automatically allow the FTP Data connection also. So it might be that the Control connection is allowed but the Data connection gets blocked.

- Jouni

fostaerou · ‎03-12-2013

Thanks for your reply, after checking some ideas I found that to get the ftp to work I needed to use the internal IP 10.0.0.1 for it rather than the old normal IP like before the firewall(probably a very beginner error sorry for that). And I discovered the exact issue causing clients to not see their characters if not using Hamachi.

Hamachi treats everyone join to the network as though they are local I believe, so when the server send character info via Hamachi it thinks it is sending the info locally and then Hamachi itself sends it out to the extrenal client, while tracing the data I found that the login process sends a 33 byte packet of data to the client via TCP from port 5051 out to the client on a rnadom port usually in the range of 40000-50000 telling the client to send a request to the other process to ask for the character information.

Now for some reason I see when a client logs in through Hamachi that packet is sent correctly to their Hamachi IP and recived fine.(sent from 10.0.0.1:5051 to the Hamachi IP:40k-50k) but when a client tries to log in using a normal IP with Hamachi turned off, the log in process does send the 33 byte packet from 10.0.0.1:5051 to the client WAN IP through the usual port but the client never recieves this packet and as such doesn't not request the character information.

So my guess is something on the 5505 is disallowing the log in process to send the data externally to the clients WAN IP's? Though this is very odd because it does allow the client to actually log in to the account and seems to recieve at least part of that information fine.

If any help that might resolve this for me can be given I would very much appreciate it, this issue is limiting my client base and as such my income and business as a whole. Thank you in advance for any help given.

Jouni Forss · ‎03-12-2013

Hi,

We cant really much about the actual ASA since we cant see its configuration. We can only guess whats happenning.

If the Hamachi is the problem then you could consider the actual VPN Client that Cisco uses. Or perhaps some free VPN Client that works with the ASA. Then the ASA acts as the VPN server and provides connectivity to the inside server for the clients.

Sadly the ASA 5505 doesnt provide with a huge amount of concurrent VPN Client users. The maximum amount is 25 Clients I think.

Heres a document giving the general specs of the ASA models

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf

With regards to allowing or blocking traffic the ASA is fairly simple. If you have allowed some connection to form through it, it will allow the return traffic also.

I would check the firewalls logs through the ASDM (graphical user interface of the ASA) and see what logs are being generated when the connection attempt is being performed.

- Jouni