10-31-2019 11:34 AM - edited 02-21-2020 09:39 AM
I am working with an old ASA 5505 version 8.4(3). On this ASA there are three interfaces: Public [VLAN 10] 172.16.0.1/24, Private [VLAN 5] 172.16.1.1/24 and Outside [VLAN1] External IP. If I plug my laptop into a switch on the Private interface I can get to this external website (hosted by an outside company). When I connect my laptop to the Public interface I get a website timed out error. I captured session information from my laptop using Fiddler for both networks. On Public I see the HTTP request timed out and it was not able to authenticate with the site certificate. Looking at the firewall we are using deprecated protocols and ciphers. I would update the firewall with the latest firmware but there is no service contract.
All I am asking is: could the reason we cannot navigate to the site on the Public interface because the firewall is using old ciphers/protocols? If so, how is it possible one interface is using one suite while another is using something different? If not, what else could be blocking the site on the firewall?
I say it's the firewall because I am testing with a laptop that has no AV, Windows firewall disabled, no other software and it's not on the domain. It's not software on the computers causing the problem.
Currently the ASA can only support SSL 3.0/TLS 1.0 because no one ever updated the device.
I ran a packet capture on the firewall and saw traffic going from my computer through the Public interface but nothing from/to the Outside interface from the external site. Something has to be blocking traffic on the firewall but I don't know what it is.
**EDIT** Here is part of my config and the result of a packet-tracer:
interface Vlan2 nameif private security-level 50 ip address 10.0.2.1 255.255.255.0 ! interface Vlan3 nameif outside security-level 0 ip address 1.1.1.1 255.255.255.224 ! interface Vlan10 nameif public security-level 100 ip address 172.16.0.254 255.255.255.0 ! same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network public-net subnet 172.16.0.0 255.255.255.0 object network outside-nat host 1.1.1.1 object network private_10.0.2.0 subnet 10.0.2.0 255.255.255.0 access-list outside_access_in extended permit ip any any pager lines 24 logging enable logging asdm informational mtu private 1500 mtu outside 1500 mtu public 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-647.bin no asdm history enable arp timeout 14400 object network public-net nat (public,outside) dynamic interface object network private_10.0.2.0 nat (private,outside) dynamic interface access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
And here is the packet tracer:
Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 4 Type: NAT Subtype: Result: ALLOW Config: object network public-net nat (public,outside) dynamic interface Additional Information: Dynamic translate 172.16.0.22/443 to 1.1.1.1/261 Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 158038629, packet dispatched to next module Result: input-interface: public input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
11-01-2019 04:48 AM
Your ASA configuration appears correct from what you've shared.
Its older software and inability to support newer ciphers only affects traffic that terminates on the ASA itself - not anything going THROUGH the ASA.
How it is setup physically? i.e. is your public VLAN 10 traffic connecting to the ASA via a trunk or on a dedicated interface?
11-01-2019 05:01 AM
It's a dedicated interface from switch to ASA it's a trunk from the ASA to the ISP. So my laptop plugs into a switch on the public network that switch passes traffic to the ASA the ASA sends it out the trunk to the ISP.
11-01-2019 09:54 PM
Did you confirm you can resolve the address of the website's FQDN when you plug into the public interface?
Have you tried capturing traffic on your Outside interface to/from the public web server?
Try this:
capture capout interface outside match tcp any <website ip> 255.255.255.255 eq 80
(or "eq 443" for https).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide