04-11-2011 03:24 AM - edited 03-11-2019 01:19 PM
Let me quickly explain our setup, we are running a cisco ASA 5510. We have 2 linux proxy servers in the DMZ. Both Proxy servers have static NAT on the firewall.
50% of websites we go to through the firewall have no problems. The other 50% times out, we have found that this happens mostly to websites that are web 2.0 (like facebook) and redirect their traffic to other websites. We then decided to test using wget on the linux boxes. This bypasses the proxy component and is a simple download tool for linux. The same thing applies where direct connections to files work fine but redirection breaks.
WSG01-EXT is the proxy server. WSG01-PUBLIC-BROWSING is the outside NAT. Here I am trying to download a file. http://download.winzip.com/winzip150.exe . The ip address I am connecting to and the ip address that responds is not the same one and it makes sense that the firewall blocks it as it sent no syn to that address, but how do i get around this?
Here are some relavant firewall logs.
WSG01-EXT 39701 92.123.154.73 80 Built outbound TCP connection 201329 for outside:92.123.154.73/80 (92.123.154.73/80) to DMZ-VLAN-15:WSG01-EXT/39701 (WSG01-PUBLIC-BROWSING/39701)
165.165.47.11 80 WSG01-PUBLIC-BROWSING 30737 Deny TCP (no connection) from 165.165.47.11/80 to WSG01-PUBLIC-BROWSING/30737 flags SYN ACK on interface outside
Thanks in advance for all the replies and let me know if you need more information. I really hope this is just some kind of checkbox somewhere that I am missing.
S
04-11-2011 05:50 AM
What is the error message number? Is it %ASA-6-106015? If so this guide may offer some help:
https://supportforums.cisco.com/docs/DOC-14491
Potentially you could enable TCP bypass, however this will also disable all TCP-based security checks and application inspection.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide