Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2429
Views
0
Helpful
6
Replies

To check if url is allowed by ASA

Go to solution
mahesh18
Level 6
Level 6

‎02-07-2013 10:50 AM - edited ‎03-11-2019 05:57 PM

                   Hi everyone,

I am trying to download drivers from HP website for a printer.

Traffic goes via ASA  to the Internet.

I need to rule out if ASA is blocking  or not.

Here is what i did

http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=3644759&prodTypeId=18972&prodSeriesId=3644758&swLang=8&taskId=135&swEnvOID=4063#78266

http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDownloadEventHandler.jsp?redirectReason=SWD_FTP_Request&swItem=ds-99376-4&prodSeriesId=3644758&prodLine=6A&targetPage=ftp%3A%2F%2Fftp.hp.com%2Fpub%2Fsoftlib%2Fsoftware12%2FCOL40842%2Fds-99376-4...

On first url when you click on download then 2nd url shows  internet explorer  can not display the page.

IS ASA  blocking something?

thanks

mahesh

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-07-2013 10:55 AM

Hi,

The second link atleast works for me and starts a file download.

I would open ASDM and go to the Monitor/Logging section and open the log window. I would then enter the LAN host IP address you are using to access the site to the section that applies the filter for the logging.

Then I would click the link to download the file and watch the ASA logs what happens to the connections from your host.

It tries to download the file with FTP. Have you allowed FTP connections from the host to the Internet?

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎02-07-2013 12:39 PM

Hi,

You should see the connection logs IF

  • If the connection is coming all the way to the ASA
  • If there is nothing blocking the traffic in between the user and the ASA
  • You have set the ASDM logging level to atleast "informational"
    • logging asdm informational
  • You have not disabled some logging messages
    • You should get a list of the disabled log messages with the "show run logging" command on the CLI of the AS

I guess the most certain way to see whats going through the ASA would be to configure a capture on the ASA but this might be a bit more time consuming.

I have witnessed the ASDM side logging sometimes showing the connection logs very very late compared to the time when you actually test some connection.

Also naturally if you want to make sure that the ASA is not blocking any connection for the host you can temporarily insert a rule on the interface ACL behind which the host is. Inserting a rule one the "line 1" which permits all traffic from that host would make sure that nothing gets blocked.

But all in all, you should really see something in the logs if the connection is coming through the ASA

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎02-07-2013 02:44 PM

It would seem that the ACL is possibly blocking the FTP traffic

You say the networks are different but you didnt include the network mask thats in the ACL. What is the network mask x.x.x.x?

Notice that if the mask is /12 or 255.240.0.0

Then it would mean the whole private IP address range of 172.16.0.0 - 172.31.255.255

Therefore it would actually block the connections even from host 172.31.x.x as you can see

If you enter the configuration

access-list Network_01 line 1 permit tcp host 172.31.x.x any eq ftp

Then it will enter the rule to the top of the ACL. Therefore it will be the first rule matched when traffic enters that firewall interface. And it will therefore allow the FTP connection.

You could try adding that line and testing the connection again.

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-07-2013 10:55 AM

Hi,

The second link atleast works for me and starts a file download.

I would open ASDM and go to the Monitor/Logging section and open the log window. I would then enter the LAN host IP address you are using to access the site to the section that applies the filter for the logging.

Then I would click the link to download the file and watch the ASA logs what happens to the connections from your host.

It tries to download the file with FTP. Have you allowed FTP connections from the host to the Internet?

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎02-07-2013 12:31 PM

Hi,

I put lan host IP on filter by  then i see nothing in fw logs

its blank empty page.

thanks

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎02-07-2013 12:39 PM

Hi,

You should see the connection logs IF

  • If the connection is coming all the way to the ASA
  • If there is nothing blocking the traffic in between the user and the ASA
  • You have set the ASDM logging level to atleast "informational"
    • logging asdm informational
  • You have not disabled some logging messages
    • You should get a list of the disabled log messages with the "show run logging" command on the CLI of the AS

I guess the most certain way to see whats going through the ASA would be to configure a capture on the ASA but this might be a bit more time consuming.

I have witnessed the ASDM side logging sometimes showing the connection logs very very late compared to the time when you actually test some connection.

Also naturally if you want to make sure that the ASA is not blocking any connection for the host you can temporarily insert a rule on the interface ACL behind which the host is. Inserting a rule one the "line 1" which permits all traffic from that host would make sure that nothing gets blocked.

But all in all, you should really see something in the logs if the connection is coming through the ASA

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎02-07-2013 02:30 PM

Hi Jouni,

I was able to find out by packet tracer that FTP is not allowed.

My PC  IP is say 172.31.x.x

I ran the packet tracer choosing my source IP as PC  IP and source interface as say Network

Packet tracer showed me  in animation

Network ACL lookup  flwo lookup route lookup ACL lookup is all  right but  on outside it shows red x.

Under phase

Access list and Result had X mark.

under ACL  config

it showed

access-group Network_01 in  interface Network

access-list Network_01 extended deny tcp 172.16.0.0 x.x.x.x any eq ftp log

so does this ACL means that drop FTP traffic as it enters the Inside interface of ASA?

Second this to know is that MY PC  IP 172.31 and ASA ACL that shows deny IP subnet 172.16  they both are in different subnets and still ACL is blocking the FTP?

Can you please explain me how this ACL is working?

Thanks

mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎02-07-2013 02:44 PM

It would seem that the ACL is possibly blocking the FTP traffic

You say the networks are different but you didnt include the network mask thats in the ACL. What is the network mask x.x.x.x?

Notice that if the mask is /12 or 255.240.0.0

Then it would mean the whole private IP address range of 172.16.0.0 - 172.31.255.255

Therefore it would actually block the connections even from host 172.31.x.x as you can see

If you enter the configuration

access-list Network_01 line 1 permit tcp host 172.31.x.x any eq ftp

Then it will enter the rule to the top of the ACL. Therefore it will be the first rule matched when traffic enters that firewall interface. And it will therefore allow the FTP connection.

You could try adding that line and testing the connection again.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎02-07-2013 02:59 PM

Hi Jouni,

Mask is 255.240.0.0 .You are right so it will block whole subnet from 172.16  to 172.31.0.0.

you are very good in firewalls.

Unfortunately i can not config any changes on ASA  to test the ACL.

Many thanks  for helping me out .

Best regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card