Hi,

This is a strange situation.

I cannot open some web pages on the Internet through the ASA. If I bypass the ASA I can open all the pages.

There's no HTTP inspection on the ASA enabled.

I am attaching the configuration.

I am attaching a capture I did on port 80 getting to a specific page fantasy.footbo.com

This particular page (and some others) I cannot open them through the ASA, but can open them bypassing the ASA.

pcap1 is the capture from my local machine 172.16.24.150 to the page (applied to the inside interface)

pcap 2 is the capture from the NATed address to the page (applied to the outside interface)

I try reading the captures in Wireshark and it seems to be that my machine sends the SYN request, but never get a response from the server.

Why could this be?

Can I get some help in getting more information from the captures or what other troubleshooting steps can I do to resolve this?

Note: When I open the pcaps in Wireshark I get the following message: ''The capture file appears to have been cut short in the middle of a packet''

These are the commands that I've used for the captures:

CAPTURE INSIDE INTERFACE
access-list http-outbound-inside permit tcp host 172.16.24.150 host 79.125.22.215 eq 80
access-list http-outbound-inside permit tcp host 79.125.22.215 eq 80 host 172.16.24.150
capture http-outbound-inside access-list http-outbound-inside interface inside trace buffer 20000000

CAPTURE OUTSIDE INTERFACE
access-list http-outbound-outside permit tcp host 200.122.131.5 host 79.125.22.215 eq 80
access-list http-outbound-outside permit tcp host 79.125.22.215 eq 80 host 200.122.131.5
capture http-outbound-outside access-list http-outbound-outside interface outside trace buffer 20000000

Local machine: 172.16.24.150

Resolved IP for fantasy.footbo.com = 79.125.22.215

NATed address: 200.122.131.5

Also, I've tried changing my public IP address, and I get the same result.

For instance:

nat (inside) 20 172.16.24.150 255.255.255.255

global (outside) 20 interface

Also, I tried to access the pages from another ASA with similar configuration, and I do get the pages (so I know it's not a default behavior on the ASA with particular sites).

When I do a traceroute I do get out of my network to the Internet, so I don't see how it is an internal problem.

C:\Users\fcoto>tracert fantasy.footbo.com

Tracing route to 11kicks-1164740758.eu-west-1.elb.amazonaws.com [79.125.22.215]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  172.16.24.2
  2     1 ms    <1 ms     1 ms  200.122.131.1
  3     1 ms     1 ms     1 ms  201.193.214.125
  4     1 ms     2 ms     1 ms  201.193.215.29
  5     3 ms     5 ms     6 ms  201.193.89.97
  6    43 ms    44 ms    42 ms  sl-st21-mia-14-1-0.sprintlink.net [144.223.245.1
33]
  7    43 ms    43 ms    43 ms  sl-crs2-mia-0-3-0-3.sprintlink.net [144.232.2.24
1]
  8    99 ms    86 ms    67 ms  sl-crs2-dc-0-12-0-0.sprintlink.net [144.232.9.27
]
  9    66 ms    66 ms    66 ms  sl-st22-ash-12-0-0.sprintlink.net [144.232.9.123
]
10    66 ms    67 ms    66 ms  sl-tisca1-272901-0.sprintlink.net [144.223.246.9
8]
11   162 ms   166 ms   167 ms  so-1-0-0.dub10.ip4.tinet.net [89.149.187.1]
12   167 ms   168 ms   166 ms  amazon-ireland-gw.ip4.tinet.net [213.200.67.30]

13   153 ms   152 ms   162 ms  87.238.85.12
14     *        *        *     Request timed out.
15     *        *        *     Request timed out.
16     *        *     ^C
C:\Users\fcoto>

The only thing that I can think of is that those sites that we cannot reach do not want us for some reason, like they have our IP blocked.

But I can't just remove the ASA.

Any suggestions are appreciated!!!

Federico.