02-07-2013 10:50 AM - edited 03-11-2019 05:57 PM
Hi everyone,
I am trying to download drivers from HP website for a printer.
Traffic goes via ASA to the Internet.
I need to rule out if ASA is blocking or not.
Here is what i did
On first url when you click on download then 2nd url shows internet explorer can not display the page.
IS ASA blocking something?
thanks
mahesh
Solved! Go to Solution.
02-07-2013 10:55 AM
Hi,
The second link atleast works for me and starts a file download.
I would open ASDM and go to the Monitor/Logging section and open the log window. I would then enter the LAN host IP address you are using to access the site to the section that applies the filter for the logging.
Then I would click the link to download the file and watch the ASA logs what happens to the connections from your host.
It tries to download the file with FTP. Have you allowed FTP connections from the host to the Internet?
- Jouni
02-07-2013 12:39 PM
Hi,
You should see the connection logs IF
I guess the most certain way to see whats going through the ASA would be to configure a capture on the ASA but this might be a bit more time consuming.
I have witnessed the ASDM side logging sometimes showing the connection logs very very late compared to the time when you actually test some connection.
Also naturally if you want to make sure that the ASA is not blocking any connection for the host you can temporarily insert a rule on the interface ACL behind which the host is. Inserting a rule one the "line 1" which permits all traffic from that host would make sure that nothing gets blocked.
But all in all, you should really see something in the logs if the connection is coming through the ASA
- Jouni
02-07-2013 02:44 PM
It would seem that the ACL is possibly blocking the FTP traffic
You say the networks are different but you didnt include the network mask thats in the ACL. What is the network mask x.x.x.x?
Notice that if the mask is /12 or 255.240.0.0
Then it would mean the whole private IP address range of 172.16.0.0 - 172.31.255.255
Therefore it would actually block the connections even from host 172.31.x.x as you can see
If you enter the configuration
access-list Network_01 line 1 permit tcp host 172.31.x.x any eq ftp
Then it will enter the rule to the top of the ACL. Therefore it will be the first rule matched when traffic enters that firewall interface. And it will therefore allow the FTP connection.
You could try adding that line and testing the connection again.
- Jouni
02-07-2013 10:55 AM
Hi,
The second link atleast works for me and starts a file download.
I would open ASDM and go to the Monitor/Logging section and open the log window. I would then enter the LAN host IP address you are using to access the site to the section that applies the filter for the logging.
Then I would click the link to download the file and watch the ASA logs what happens to the connections from your host.
It tries to download the file with FTP. Have you allowed FTP connections from the host to the Internet?
- Jouni
02-07-2013 12:31 PM
Hi,
I put lan host IP on filter by then i see nothing in fw logs
its blank empty page.
thanks
MAhesh
02-07-2013 12:39 PM
Hi,
You should see the connection logs IF
I guess the most certain way to see whats going through the ASA would be to configure a capture on the ASA but this might be a bit more time consuming.
I have witnessed the ASDM side logging sometimes showing the connection logs very very late compared to the time when you actually test some connection.
Also naturally if you want to make sure that the ASA is not blocking any connection for the host you can temporarily insert a rule on the interface ACL behind which the host is. Inserting a rule one the "line 1" which permits all traffic from that host would make sure that nothing gets blocked.
But all in all, you should really see something in the logs if the connection is coming through the ASA
- Jouni
02-07-2013 02:30 PM
Hi Jouni,
I was able to find out by packet tracer that FTP is not allowed.
My PC IP is say 172.31.x.x
I ran the packet tracer choosing my source IP as PC IP and source interface as say Network
Packet tracer showed me in animation
Network ACL lookup flwo lookup route lookup ACL lookup is all right but on outside it shows red x.
Under phase
Access list and Result had X mark.
under ACL config
it showed
access-group Network_01 in interface Network
access-list Network_01 extended deny tcp 172.16.0.0 x.x.x.x any eq ftp log
so does this ACL means that drop FTP traffic as it enters the Inside interface of ASA?
Second this to know is that MY PC IP 172.31 and ASA ACL that shows deny IP subnet 172.16 they both are in different subnets and still ACL is blocking the FTP?
Can you please explain me how this ACL is working?
Thanks
mahesh
02-07-2013 02:44 PM
It would seem that the ACL is possibly blocking the FTP traffic
You say the networks are different but you didnt include the network mask thats in the ACL. What is the network mask x.x.x.x?
Notice that if the mask is /12 or 255.240.0.0
Then it would mean the whole private IP address range of 172.16.0.0 - 172.31.255.255
Therefore it would actually block the connections even from host 172.31.x.x as you can see
If you enter the configuration
access-list Network_01 line 1 permit tcp host 172.31.x.x any eq ftp
Then it will enter the rule to the top of the ACL. Therefore it will be the first rule matched when traffic enters that firewall interface. And it will therefore allow the FTP connection.
You could try adding that line and testing the connection again.
- Jouni
02-07-2013 02:59 PM
Hi Jouni,
Mask is 255.240.0.0 .You are right so it will block whole subnet from 172.16 to 172.31.0.0.
you are very good in firewalls.
Unfortunately i can not config any changes on ASA to test the ACL.
Many thanks for helping me out .
Best regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide