Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
924
Views
0
Helpful
7
Replies

Some websites not opening thorugh CISCO ASA

viveks1976
Level 1
Level 1

‎03-22-2017 05:06 AM - edited ‎03-12-2019 02:06 AM

Hello,

I am using CISCO ASA 5585.

While most of the sites are working fine, I am unable to browse one particular website.

I captured the packets against the solution provided for "MSS Exceeded" but didn't find any packets captured against the match. So, the problem might not be pertaining to this.

I used packet tracer and found that it is being dropped due to some access-list configuration, though no implicit rule was shown in the context.

The relevant output for it is produced below:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffdae3ab750, priority=500, domain=permit, deny=true
    hits=6, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=INSIDE, output_ifc=any

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Now I don't know how to troubleshoot the problem. This is a pressing problem as the concerned site is one of the most sought after portal for my users. The website is working fine outside the firewall.

Thank you,

Vivek

Labels:
0 Helpful
7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-22-2017 06:07 AM

The "Implicit Rule" reason for a drop usually means there is a rule (ACL) configured to allow certain flows and the flow in question does not match any entry in that ACL and is thus hitting the implicit deny at the end of any ASA ACL.

Can you share the full ACL aplied to the inside interface and the destiantion address for the flow?

0 Helpful

viveks1976
Level 1
Level 1
In response to Marvin Rhoads

‎03-28-2017 09:31 PM

Under specific ISP context the relevant access-list is

access-list INSIDE_access_in_1; 1 elements; name hash: 0x2d6abae2
access-list INSIDE_access_in_1 line 1 extended permit ip object OBJ_192.168.0.0_17 any (hitcnt=53805461) 0xa877acd6
access-list INSIDE_access_in_1 line 1 extended permit ip 192.168.0.0 255.255.0.0 any (hitcnt=53805461) 0xa877acd6

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to viveks1976

‎03-28-2017 11:03 PM

You're not providing enough information to allow us to help.

If you are able to share:

1. The complete access-list (plus any objects it references and the access-group command showing it is applied).

2. The source and destination IP addresses of the traffic that is being blocked.

3. Confirmation that there is no service module (ips, cxsc or sfr) that might have a policy blocking the traffic.

...then we can properly analyze and reply.

0 Helpful

viveks1976
Level 1
Level 1
In response to Marvin Rhoads

‎03-29-2017 02:30 AM

As such lot of objects have been configured but I am not sure if all are relevant.

As per the information sought by you and my understanding on the subject, I find following information relevant in the context:

-------------------------------------------------------------------------------

access-groups are as follows:

access-group OUTSIDE_access in interface OUTSIDE
access-group INSIDE_access_in_1 in interface INSIDE
access-group DMZ-ACCESS-IN in interface DMZ

-------------------------------------------------------------------------------

FW-1/sec/ISP1/act# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list IPS; 1 elements; name hash: 0xa788d41c
access-list IPS line 1 extended permit ip any any (hitcnt=118334678) 0x6a3ab3b9
access-list OUTSIDE_access; 11 elements; name hash: 0xed8c80f3
access-list OUTSIDE_access line 1 extended permit object-group Mail-Server-Ports any4 object Drdo-Mail (hitcnt=0) 0x3a9cf81e
access-list OUTSIDE_access line 1 extended permit tcp any4 host 172.16.255.50 eq 993 (hitcnt=0) 0xbe78ec8a
access-list OUTSIDE_access line 1 extended permit tcp any4 host 172.16.255.50 range 4445 4510 (hitcnt=0) 0x7edf6fd5
access-list OUTSIDE_access line 1 extended permit tcp any4 host 172.16.255.50 eq 995 (hitcnt=0) 0x04958750
access-list OUTSIDE_access line 1 extended permit tcp any4 host 172.16.255.50 eq www (hitcnt=0) 0xf324dc48
access-list OUTSIDE_access line 1 extended permit tcp any4 host 172.16.255.50 eq https (hitcnt=0) 0xc0dd89ca
access-list OUTSIDE_access line 1 extended permit tcp any4 host 172.16.255.50 eq imap4 (hitcnt=0) 0xf02b97ad
access-list OUTSIDE_access line 1 extended permit tcp any4 host 172.16.255.50 eq pop3 (hitcnt=0) 0x6382b944
access-list OUTSIDE_access line 2 extended permit ip any object-group DM_INLINE_NETWORK_1 (hitcnt=0) 0xc28bdfd7
access-list OUTSIDE_access line 2 extended permit ip any host 192.168.0.254 (hitcnt=0) 0x39f64a17
access-list OUTSIDE_access line 2 extended permit ip any host 112.133.233.254 (hitcnt=0) 0xf045bc75
access-list OUTSIDE_access line 3 extended permit ip any object-group DM_INLINE_NETWORK_2 (hitcnt=8683) 0xa3d69cf4
access-list OUTSIDE_access line 3 extended permit ip any host 192.168.0.253 (hitcnt=8683) 0x33c76d4d
access-list OUTSIDE_access line 3 extended permit ip any host 112.133.233.253 (hitcnt=0) 0x8e4fde1d
access-list DMZ-ACCESS-IN; 1 elements; name hash: 0x8536db22
access-list DMZ-ACCESS-IN line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x38272d2b
access-list INSIDE_access_in_1; 1 elements; name hash: 0x2d6abae2
access-list INSIDE_access_in_1 line 1 extended permit ip object OBJ_192.168.0.0_17 any (hitcnt=59157817) 0xa877acd6
access-list INSIDE_access_in_1 line 1 extended permit ip 192.168.0.0 255.255.0.0 any (hitcnt=59157818) 0xa877acd6

-------------------------------------------------------------------------------

Referenced Objects and Object groups

FW-1/sec/ISP1/act# show run object-group id Mail-Server-Ports
object-group service Mail-Server-Ports
service-object object IMAP-TLS-SSL
service-object object MAil-serevr-Dis-Ports
service-object object POP3-TLS-SSL
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
FW-1/sec/ISP1/act# show run object id Drdo-Mail
object network Drdo-Mail
host 172.16.255.50
FW-1/sec/ISP1/act# show run object-group id DM_INLINE_NETWORK_1
object-group network DM_INLINE_NETWORK_1
network-object object HQ-VC
network-object object HQ_VC_pub
FW-1/sec/ISP1/act# show run object-group id DM_INLINE_NETWORK_2
object-group network DM_INLINE_NETWORK_2
network-object object Director_VC
network-object object Director_VC_pub
FW-1/sec/ISP1/act# show run object id OBJ_192.168.0.0_17
object network OBJ_192.168.0.0_17
subnet 192.168.0.0 255.255.0.0
FW-1/sec/ISP1/act#

--------------------------------------------------------------------------

The LAN network is on 192.168.0.0/16

with source IP of 192.168.0.2 and destination IP of 164.100.78.35

We are trying to access web site hosted on this IP. From other networks it is accessible but the firewall is dropping the connection here.

---------------------------------------------------------------------------

IPS service module is installed but I don't know how to check more details on it. I could find something related to class-map and policy-map as follows in the configuration:

class-map IPS
match access-list IPS
class-map TTL
match access-list IPS
class-map inspection-default
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map TTL
class TTL
set connection decrement-ttl
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect dns
inspect icmp error
class IPS
ips inline fail-open
class class-default
user-statistics accounting
!
service-policy global_policy global
service-policy TTL interface INSIDE

I am not sure if it is relevant to IPS configuration.

----------------------------------------------------------------------------------------

I am still not sure if this information is complete or any other information is required. Kindly assist, in case you have the full information else do revert if any other information is required.

Would be glad to see something.

Thanking you.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to viveks1976

‎03-30-2017 01:11 AM

That all looks OK.

Can you confirm that you used the following packet-tracer command:

packet-tracer input inside tcp 192.168.0.2 1025 164.100.78.35 80

(or 443 or whatever port the web server is configured for)?

0 Helpful

viveks1976
Level 1
Level 1
In response to Marvin Rhoads

‎03-30-2017 02:47 AM

If I use the command shared by you, I don't get the DROP anywhere. It's all through. I used following command (and got the output as indicated in my original mail):

packet-tracer input inside tcp 192.168.0.2 0 164.100.78.35 80

I thought port 0 indicated 'any' port. Since we don't know what is the source port address for the request, I used 0 for it.

I hope if you can guide me to the solution.

Thanking you.

0 Helpful

atply2341
Level 1
Level 1
In response to viveks1976

‎04-01-2017 04:51 AM

Hi Vivek,

port 0 is only used in programming APIs, dont use it.

instead use any port above 1024.

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card