03-03-2010 09:30 AM - edited 03-11-2019 10:17 AM
Hi,
This is a strange situation.
I cannot open some web pages on the Internet through the ASA. If I bypass the ASA I can open all the pages.
There's no HTTP inspection on the ASA enabled.
I am attaching the configuration.
I am attaching a capture I did on port 80 getting to a specific page fantasy.footbo.com
This particular page (and some others) I cannot open them through the ASA, but can open them bypassing the ASA.
pcap1 is the capture from my local machine 172.16.24.150 to the page (applied to the inside interface)
pcap 2 is the capture from the NATed address to the page (applied to the outside interface)
I try reading the captures in Wireshark and it seems to be that my machine sends the SYN request, but never get a response from the server.
Why could this be?
Can I get some help in getting more information from the captures or what other troubleshooting steps can I do to resolve this?
Note: When I open the pcaps in Wireshark I get the following message: ''The capture file appears to have been cut short in the middle of a packet''
These are the commands that I've used for the captures:
CAPTURE INSIDE INTERFACE
access-list http-outbound-inside permit tcp host 172.16.24.150 host 79.125.22.215 eq 80
access-list http-outbound-inside permit tcp host 79.125.22.215 eq 80 host 172.16.24.150
capture http-outbound-inside access-list http-outbound-inside interface inside trace buffer 20000000
CAPTURE OUTSIDE INTERFACE
access-list http-outbound-outside permit tcp host 200.122.131.5 host 79.125.22.215 eq 80
access-list http-outbound-outside permit tcp host 79.125.22.215 eq 80 host 200.122.131.5
capture http-outbound-outside access-list http-outbound-outside interface outside trace buffer 20000000
Local machine: 172.16.24.150
Resolved IP for fantasy.footbo.com = 79.125.22.215
NATed address: 200.122.131.5
Also, I've tried changing my public IP address, and I get the same result.
For instance:
nat (inside) 20 172.16.24.150 255.255.255.255
global (outside) 20 interface
Also, I tried to access the pages from another ASA with similar configuration, and I do get the pages (so I know it's not a default behavior on the ASA with particular sites).
When I do a traceroute I do get out of my network to the Internet, so I don't see how it is an internal problem.
C:\Users\fcoto>tracert fantasy.footbo.com
Tracing route to 11kicks-1164740758.eu-west-1.elb.amazonaws.com [79.125.22.215]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 172.16.24.2
2 1 ms <1 ms 1 ms 200.122.131.1
3 1 ms 1 ms 1 ms 201.193.214.125
4 1 ms 2 ms 1 ms 201.193.215.29
5 3 ms 5 ms 6 ms 201.193.89.97
6 43 ms 44 ms 42 ms sl-st21-mia-14-1-0.sprintlink.net [144.223.245.1
33]
7 43 ms 43 ms 43 ms sl-crs2-mia-0-3-0-3.sprintlink.net [144.232.2.24
1]
8 99 ms 86 ms 67 ms sl-crs2-dc-0-12-0-0.sprintlink.net [144.232.9.27
]
9 66 ms 66 ms 66 ms sl-st22-ash-12-0-0.sprintlink.net [144.232.9.123
]
10 66 ms 67 ms 66 ms sl-tisca1-272901-0.sprintlink.net [144.223.246.9
8]
11 162 ms 166 ms 167 ms so-1-0-0.dub10.ip4.tinet.net [89.149.187.1]
12 167 ms 168 ms 166 ms amazon-ireland-gw.ip4.tinet.net [213.200.67.30]
13 153 ms 152 ms 162 ms 87.238.85.12
14 * * * Request timed out.
15 * * * Request timed out.
16 * * ^C
C:\Users\fcoto>
The only thing that I can think of is that those sites that we cannot reach do not want us for some reason, like they have our IP blocked.
But I can't just remove the ASA.
Any suggestions are appreciated!!!
Federico.
03-03-2010 01:51 PM
my msn is diegocambronero@hotmail.com
03-03-2010 01:54 PM
Thank you!
I'll add you in a moment...
I sent you the current config and the ASP drops.
Federico.
03-03-2010 04:55 PM
Hi,
It is not easy to see the results on the ''sh asp drop'' because there's too much traffic passing through the ASA and if I clear the asp drop table, and I attempt to connect to any of those websites, then I check the ''sh asp drop'' again, and all the counters incremented in some way.
Is there another way to look at the asp drop behavior in a more specific way?
Thank you,
Federico.
03-08-2010 07:54 AM
Hi Diego,
Thank you for all your help.
We've found out that the ASA is not the problem since we connected a computer to the external switch (where the outside IP of the ASA is connected), give it a public IP of the same range and the problem persisted with the pages.
When I said that bypassing the ASA we did not experience the problem, was because on the same location we had an ADSL connection (with a total different range of public IPs).
If we try getting to those pages from the same range of IPs of the ASA (even bypassing the ASA), the problem persisted.
This tell us that the problem has to be with the public IPs definitely correct?
The ISP is no help at all!
Federico.
03-08-2010 07:57 AM
Correct.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide