Re: Unable to access certain websites on for one pc

Simon.peters1 · ‎11-16-2017

Hello all,

I have a pc that is unable to access a couple of websites, others on the same LAN are able to via the same Cisco 5505 ASA. I have The sites in question are hosted at the same location via a DMZ on the asa.

I have connected the pc to mobile device and it can access them ok so I know its the asa stopping the access.

In the monitoring tool it appears to be tearing down the connections as below.

Teardown TCP connection translation from 192.168.1.xx/55612 to outside:109.204.xx.xx /56162

As I have said other pc's can access it ok so I am a little confused.

Any pointers?

Many thanks!

Flavio Miranda · ‎11-16-2017

Hi @Simon.peters1

This must be easy. Look at the NAT statement. There must be an ACL permiting the IP range that can be NATed and you IP may not be on the range.

You can share Firewall config for further assistance as well.

-If I helped you somehow, please, rate it as useful.-

Dennis Mink · ‎11-16-2017

Use the packet tracer tool to similate the traffic through the ASA based on source and desination and intterface to see what is denying it.

Please remember to rate useful posts, by clicking on the stars below.

Simon.peters1 · ‎11-20-2017

Hi,

Thanks for the reply.

ASA Version 9.0(1) ASA Version 9.0(1) !hostname ASA
names!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1 switchport access vlan 3!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.1.168 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address 109.204.xx.xx 255.255.255.252 !interface Vlan3 nameif dmz security-level 10 ip address 172.16.1.168 255.255.0.0 !ftp mode passiveclock timezone GMT/BST 0clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00object network obj_any subnet 0.0.0.0 0.0.0.0object network inside-net subnet 192.168.1.0 255.255.255.0object network dmz-net subnet 172.16.0.0 255.255.0.0object network Inside-NATobject network OBJ-net-inside subnet 192.168.1.0 255.255.255.0object-group protocol TCPUDP protocol-object udp protocol-object tcpaccess-list outside_in extended permit icmp any any echo access-list outside_in extended permit icmp any any echo-reply access-list dmz_out extended permit ip any any pager lines 24logging enablelogging asdm informationalmtu inside 1500mtu outside 1500mtu dmz 1500no failovericmp unreachable rate-limit 1 burst-size 1icmp permit any insideicmp permit any outsideasdm image disk0:/asdm-711-52.binno asdm history enablearp timeout 14400no arp permit-nonconnected!object network obj_any nat (inside,outside) dynamic interfaceobject network inside-net nat (inside,outside) dynamic interfaceobject network dmz-net nat (dmz,outside) dynamic interface
access-group outside_in in interface outsideaccess-group dmz_out in interface dmzaccess-group dmz_out out interface dmzroute outside 0.0.0.0 0.0.0.0 109.204.77.141 1timeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALaaa authentication enable console LOCAL aaa authentication ssh console LOCAL http server enablehttp 192.168.1.0 255.255.255.0 insidehttp 192.168.10.0 255.255.255.0 inside
no snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstartcrypto ipsec security-association pmtu-aging infinitecrypto ca trustpool policytelnet timeout 5ssh 192.168.1.0 255.255.255.0 insidessh timeout 5console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4dhcpd auto_config outside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptusername User password test privilege 15!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:d233f486dcef262bab1c4900ba50c37f: endasdm image disk0:/asdm-711-52.binno asdm history enable

Regards,

Flavio Miranda · ‎11-20-2017

As per your output my assumption is not correct. I though you could be using an IP address out of NAT range but as per the config, the NAT statement use the whole /24 network.

I recommend you open up the ASDM log page, filter by your IP address and try to access the internet. Then you can confirm if ASA is blocking you or not.

Looks like this is not a firewall problem.

As an aside note, take a look on your browser and make sure you don't have proxy manually configured.

-If I helped you somehow, please, rate it as useful.-

Simon.peters1 · ‎11-20-2017

Hi,

Sorry I have done the logging thing and the firewall is blocking it. I will post a reply with the log shortly.

Thanks!

Simon.peters1 · ‎11-20-2017

In the log I am getting the below.

Teardown TCP Connection 863250 for outside : 109.204.xx.xx /80 to inside 192.168.xx.xx/62348 SYN Timeout

Teardown dyamic TCP translation from Inside: 192.168.xx.xx /62301 to outside : 109.204.xx.xx/62301

Regards

Flavio Miranda · ‎11-20-2017

Unfortunately this logs does not help too much. But let´s do one thing.

To get the validation for this, run this command:

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port

[detailed]

packet-tracer input Vlan1 tcp 192.168.1.X 1025 200.221.2.45 443 detailed

The IP 200.221.2.45 is website, you can use anyone on the internet if you know some.

Show the output here.

-If I helped you somehow, please, rate it as useful.-

Simon.peters1 · ‎11-20-2017

Hello,

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 109.204.xx.xx 255.255.255.255 identity

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 109.204.xx.xx 255.255.255.255 identity

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

Flavio Miranda · ‎11-20-2017

Nice.

If worked, dont forget to change to "solved" and help other find solution.

-If I helped you somehow, please, rate it as useful.-

Simon.peters1 · ‎11-20-2017

No route to host for some reason. I can't see the issue though.

Thanks

Flavio Miranda · ‎11-20-2017

If you are trying to access some IP on the Internet, then you should be using the default route the firewall

route outside 0.0.0.0 0.0.0.0 109.204.77.141

This means all IP address as you may already know.

If you try a trace route command to the target IP, are you being sending to the outside interface?

-If I helped you somehow, please, rate it as useful.-