Solved: Re: Segment from PIX to segment on ASA - Page 4

Tyler Woods · ‎11-19-2013

I need the following to happen:

Host at 12.x.x.134 to access host 10.50.2.32 on port 8888.

Host at 12.x.x.134 to access host 10.50 2.33 on port 1560.

I am at a complete loss on getting this accomplished. Have tried multiple configurations and nothing works. Ideally I would collapse this all to the ASA but I do not have the time to dedicate at the moment so I just need to get this working as it is. The ASA is under SMARTnet but CCO ID does not have permission to its serial number yet.

Any guidance on this would be greatly appreciated. Is below enough to go on?

ASA Interfaces

Ethernet0/0 outside 64.xx.xx.130 security-level 0 --> to RouterA via 2980

Ethernet0/1 inside 10.50.2.1 security-level 100 --> to 2980

Ethernet0/2 dmz1 10.10.10.2 security-level 50 --> to ASA e2

PIX

Ethernet0 outside 12.xx.xx.2 security-level 0 --> to RouterB via 2980

Ethernet1 dmz 12.x.x.129 security-level 50 --> to 2980

Ethernet2 dmz2 10.10.10.1 security-level 50 --> to PIX e0/2

Jon Marshall · ‎11-21-2013

You still have the permit ip any any line in DMZ2IN acl ?

If so can you just try a ping from 12.x.x.134 host to 10.50.2.33 and see if anything increases on the acl on the ASA ?

If not then wihout capturing packets/debugging it's not obvious what is happening.

Jon

Tyler Woods · ‎11-21-2013

Yes, still have the permit ip any any in ACL DMZ2IN.

We are setting it up for me to have direct access to the 12.x.x.134 host so that I can do these test but will have them ping in the mean time.

It feels like me I'll need to capture on the PIX initially?

Jon Marshall · ‎11-21-2013

It feels like me I'll need to capture on the PIX initially?

I'm not sure because when we tested with an outbound acl on the pix dmz2 interface we saw hit cnts which suggests that traffic is leaving the pix going to the ASA. All the other testing we have done suggests the ASA is either not seeing the traffic or is dropping it so i would begin with the ASA.

Jon

Tyler Woods · ‎11-21-2013

Understood. I'll get my remote access setup to initiat testing myself and read up setting up a capture on the ASA.

Tyler Woods · ‎11-22-2013

So on the ASA I did the following capture.

cap inbound interface dmz1 access-list DMZ2IN

ACL DMZ2IN on interface dmz1 still has no its

access-list DMZ2IN line 1 extended permit tcp host 12.10.100.130 host 12.20.100.130 eq ftp (hitcnt=0) 0xbfea54d2

access-list DMZ2IN line 2 extended permit tcp host 12.10.100.130 host 12.20.100.130 eq ftp-data (hitcnt=0) 0x21f545e0

access-list DMZ2IN line 3 extended permit tcp host 12.10.100.134 host 10.50.2.33 eq 1560 (hitcnt=0) 0xc5c58369

access-list DMZ2IN line 4 extended permit tcp host 12.10.100.134 host 10.50.2.32 eq 8888 (hitcnt=0) 0xa9c0bd59

access-list DMZ2IN line 5 extended permit ip any any (hitcnt=0) 0x2bcade57

Not sure I did the capture correct but it made sense to me. It shows no bytes captured.

Jon Marshall · ‎11-22-2013

Then i guess we need to do a packet capture on the pix as well.

Just before you do that can you clarify -

1) how is the connection made between the ASA and pix on these interfaces ie. is it a crossover cable, do they go via a switch etc.

2) the interfaces on both firewalls are definitely up ?

Jon

Tyler Woods · ‎11-22-2013

PIX

------

ACL dmz2_out is on interface dmz2

access-list dmz2_out line 1 extended permit ip host 12.10.100.134 host 10.50.2.32 (hitcnt=0)

access-list dmz2_out line 2 extended permit ip host 12.10.100.134 host 10.50.2.33 (hitcnt=3)

access-list dmz2_out line 3 extended permit ip any any (hitcnt=0)

I made the following capture:

capture outbound interface dmz2 access-list dmz2_out

I cleared the counters for the ACL before testing. Testing showed 3 hits yet I get 0 bytes on the capture. What did I do wrong on the capture?

The PIX and ASA are cabled directly together and both interfaces are up.

Jon Marshall · ‎11-22-2013

What did I do wrong on the capture?

I don't know, that should have worked. Can you confirm that both interfaces are up ie. "sh interface" shows the interface up on both firewalls ?

Jon

Tyler Woods · ‎11-22-2013

Yes, I show them both up and up.

Jon Marshall · ‎11-22-2013

Okay, i need to have a reread of all this.

Can you do the following -

1) post pix config minus any public IP addressing

2) post "sh route" from each device

3) post config of 2980

Jon

Tyler Woods · ‎11-22-2013

PIX - show route

S 0.0.0.0 0.0.0.0 [1/0] via 12.37.240.1, outside

C 10.10.10.0 255.255.255.0 is directly connected, dmz2

S 10.50.2.0 255.255.255.0 [1/0] via 10.10.10.2, dmz2

C 12.10.100.128 255.255.255.224 is directly connected, dmz

C 12.37.240.0 255.255.255.248 is directly connected, outside

ASA - show route

Gateway of last resort is 64.22.224.129 to network 0.0.0.0

C 64.22.224.128 255.255.255.240 is directly connected, outside

C 10.10.10.0 255.255.255.0 is directly connected, dmz1

C 10.50.2.0 255.255.255.0 is directly connected, inside

S 12.10.100.134 255.255.255.255 [1/0] via 10.10.10.1, dmz1

S* 0.0.0.0 0.0.0.0 [1/0] via 64.22.224.129, outside

PIX - config sanatized

PIX Version 7.0(6)

!

interface Ethernet0

nameif outside

security-level 0

ip address 12.xx.xx.2 255.255.255.248

!

interface Ethernet1

nameif dmz

security-level 50

ip address 12.x.x.129 255.255.255.224

!

interface Ethernet2

nameif dmz2

security-level 50

ip address 10.10.10.1 255.255.255.0

!

boot system flash:/pix706a.bin

ftp mode passive

clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

same-security-traffic permit inter-interface

access-list dmz_access extended permit tcp any host 12.x.x.156 eq telnet

access-list dmz_access extended permit tcp any host 12.x.x.138 eq ftp

access-list dmz_access extended permit tcp any host 12.x.x.150 eq 2346

access-list dmz_access extended permit tcp any host 12.x.x.150 eq ssh

access-list dmz_access extended permit tcp any host 12.x.x.150 eq lpd

access-list dmz_access extended permit tcp any host 12.x.x.150 eq telnet

access-list dmz_access extended permit tcp any host 12.x.x.150 eq ftp

access-list dmz_access extended permit tcp any host 12.x.x.150 eq 3145

access-list dmz_access extended permit tcp any host 12.x.x.142 eq smtp

access-list dmz_access extended permit tcp any host 12.x.x.142 eq ssh

access-list dmz_access extended permit tcp any host 12.x.x.142 eq telnet

access-list dmz_access extended permit tcp any host 12.x.x.142 eq pop3

access-list dmz_access extended permit tcp any host 12.x.x.144 eq telnet

access-list dmz_access extended permit tcp any host 12.x.x.135 eq telnet

access-list dmz_access extended permit tcp any host 12.x.x.131 eq ftp

access-list dmz_access extended permit tcp any host 12.x.x.130 eq ftp

access-list dmz_access extended permit tcp any host 12.x.x.130 eq ftp-data

access-list dmz_access extended permit tcp any host 12.x.x.130 eq www

access-list dmz_access extended permit tcp any host 12.x.x.130 eq https

access-list dmz_access extended permit tcp any host 12.x.x.131 eq domain

access-list dmz_access extended permit icmp any any

access-list dmz_access extended permit tcp any host 12.x.x.131 eq ftp-data

access-list dmz_access extended permit tcp any host 12.x.x.138 eq ftp-data

access-list dmz_access extended permit ip any host 12.x.x.156

access-list dmz_access extended permit tcp any host 12.x.x.150 eq ftp-data

access-list dmz_access extended permit tcp any host 12.x.x.138 eq 3389

access-list dmz_access extended permit tcp any 10.50.2.0 255.255.255.0 eq pptp

access-list dmz_access extended permit gre any 10.50.2.0 255.255.255.0

access-list dmz_access extended permit udp any host 12.x.x.131 eq domain

access-list dmz_access extended permit tcp any host 12.x.x.140 eq 3389

access-list dmz_access extended permit tcp any host 12.x.x.141 eq telnet

access-list dmz_access extended permit tcp any host 12.x.x.133 eq 3389

access-list dmz_access extended permit tcp any host 12.x.x.133 eq 265

access-list dmz_access extended permit tcp any host 12.x.x.133 eq https

access-list dmz_access extended permit tcp any host 12.x.x.134 eq www

access-list dmz_access extended permit tcp any host 12.x.x.134 eq https

access-list dmz_access extended permit tcp any host 12.x.x.134 eq 3389

access-list dmz_access extended permit tcp any host 12.x.x.130 eq 265

access-list dmz_access extended permit tcp any host 12.x.x.130 eq 3389

access-list dmz_access extended permit tcp any host 12.x.x.131 eq telnet

access-list dmz_access extended permit tcp any host 12.x.x.132 eq sqlnet

access-list dmz_access extended permit tcp any host 12.x.x.132 eq 3389

access-list dmz_access extended permit tcp any host 12.x.x.135 eq 3389

access-list dmz_access extended permit tcp any host 12.x.x.142 eq ftp

access-list dmz-inside_access extended permit ip 12.x.x.128 255.255.255.224 10.50.2.0 255.255.255.0

access-list dmz-inside_access extended permit ip host 12.x.x.156 10.50.2.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 10.3.0.0 255.255.0.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 10.4.0.0 255.255.0.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 10.5.0.0 255.255.0.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 192.168.220.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 192.168.225.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 10.6.0.0 255.255.0.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 172.29.16.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 172.29.9.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 172.29.10.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 10.50.6.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 10.0.0.0 255.255.0.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 10.50.13.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 10.0.0.128 255.255.255.128

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 172.29.210.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 192.168.18.0 255.255.255.0

access-list 101 extended permit ip 10.50.2.0 255.255.255.0 172.29.15.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 10.3.0.0 255.255.0.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 10.4.0.0 255.255.0.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 10.5.0.0 255.255.0.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 192.168.220.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 192.168.225.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 10.6.0.0 255.255.0.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 172.29.16.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 172.29.9.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 172.29.10.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 10.50.6.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 10.0.0.0 255.255.0.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 10.50.13.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 10.0.0.128 255.255.255.128

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 172.29.210.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 192.168.18.0 255.255.255.0

access-list nonat extended permit ip 10.50.2.0 255.255.255.0 172.29.15.0 255.255.255.0

access-list permit-to-inside extended permit icmp 12.x.x.0 255.255.255.0 10.50.2.0 255.255.255.0

access-list permit-to-inside extended permit ip any any

access-list temp_inside extended deny ip any host 89.163.182.25 log

access-list temp_inside extended permit ip any any

access-list DMZ2IN extended permit tcp host 12.x.x.130 host 12.20.100.130 eq ftp

access-list DMZ2IN extended permit tcp host 12.x.x.130 host 12.20.100.130 eq ftp-data

access-list DMZ2IN extended permit ip any any

access-list dmz2_out extended permit ip host 12.x.x.134 host 10.50.2.32

access-list dmz2_out extended permit ip host 12.x.x.134 host 10.50.2.33

access-list dmz2_out extended permit ip any any

pager lines 24

logging enable

logging console debugging

logging monitor alerts

logging buffered debugging

logging trap notifications

mtu outside 1500

mtu dmz 1500

mtu dmz2 1500

icmp permit any outside

icmp permit any dmz

icmp permit any dmz2

no asdm history enable

arp timeout 14400

nat (dmz2) 0 10.50.2.0 255.255.255.0

static (dmz,outside) 12.x.x.130 12.x.x.130 netmask 255.255.255.255

static (dmz,outside) 12.x.x.131 12.x.x.131 netmask 255.255.255.255

static (dmz,outside) 12.x.x.142 12.x.x.142 netmask 255.255.255.255

static (dmz,outside) 12.x.x.144 12.x.x.144 netmask 255.255.255.255

static (dmz,outside) 12.x.x.138 12.x.x.138 netmask 255.255.255.255

static (dmz,outside) 12.x.x.150 12.x.x.150 netmask 255.255.255.255

static (dmz,outside) 12.x.x.156 12.x.x.156 netmask 255.255.255.255

static (dmz,outside) 12.x.x.135 12.x.x.135 netmask 255.255.255.255

static (dmz,outside) 12.x.x.140 12.x.x.140 netmask 255.255.255.255

static (dmz2,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

static (dmz,dmz2) 12.x.x.0 12.x.x.0 netmask 255.255.255.0

access-group dmz_access in interface outside

access-group temp_inside in interface dmz2

access-group dmz2_out out interface dmz2

route outside 0.0.0.0 0.0.0.0 12.xx.xx.1 1

route dmz2 10.50.2.0 255.255.255.0 10.10.10.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server TACSERVER protocol tacacs+

aaa-server TACSERVER (dmz2) host 10.1.0.227

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map newmap 10 match address 101

crypto map newmap 10 set peer 208.x.x.14

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

tunnel-group 208.x.x.14 type ipsec-l2l

tunnel-group 208.x.x.14 ipsec-attributes

pre-shared-key *

telnet 10.50.2.0 255.255.255.0 dmz2

telnet 192.168.5.0 255.255.255.0 dmz2

telnet 192.168.6.0 255.255.255.0 dmz2

telnet 10.1.0.0 255.255.0.0 dmz2

telnet 10.5.0.0 255.255.0.0 dmz2

telnet 10.4.0.0 255.255.0.0 dmz2

telnet timeout 45

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 dmz2

ssh timeout 40

console timeout 0

management-access dmz2

dhcpd dns 10.6.5.8 10.6.5.9

!

class-map inspection_default

match default-inspection-traffic

!

policy-map asa_global_fw_policy

class inspection_default

inspect ftp

inspect icmp

!

service-policy asa_global_fw_policy global

: end

2980 - config sanatized

begin

!

# ***** NON-DEFAULT CONFIGURATION *****

!

#time: Fri Nov 22 2013, 08:21:12

!

#version 6.1(3)

!

#system web interface version(s)

set banner motd ^C

C

^C

!

#test

!

#system

!

#frame distribution method

set port channel all distribution mac both

!

#snmp

set snmp community read-only

set snmp community read-write

!

#vtp

set vtp domain Transcore

set vlan 1 name default type ethernet mtu 1500 said 100001 state active

set vlan 2 name Internal type ethernet mtu 1500 said 100002 state active

set vlan 3 name External type ethernet mtu 1500 said 100003 state active

set vlan 4 name FW_DMZ-12.xx.xx.0/29 type ethernet mtu 1500 said 100004 state active

set vlan 5 name Internet type ethernet mtu 1500 said 100005 state active

set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active

set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state active stp ieee

set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active stp ibm

set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state active mode srb aremaxhop 7 stemaxhop 7 backupcrf off

!

#ip

set interface sc0 2 10.50.2.3/255.255.255.0 10.50.2.255

set interface sl0 down

set interface me1 down

set ip route 0.0.0.0/0.0.0.0 10.50.2.1

set ip route 0.0.0.0/0.0.0.0 10.50.2.2

!

#syslog

set logging console disable

set logging server enable

set logging server 10.50.2.12

set logging server 10.6.252.46

set logging level cops 2 default

!

#set boot command

set boot config-register 0x2

set boot system flash bootflash:cat4000.6-1-3.bin

!

#mls

set mls nde disable

!

#module 1 : 0-port Switching Supervisor

!

#module 2 : 48-port 10/100BaseTx Ethernet

set vlan 2 2/1-48

!

#module 3 : 34-port 10/100/1000 Ethernet

set vlan 2 3/12,3/19-32

set vlan 3 3/1-11

set vlan 4 3/16-18

set vlan 5 3/13-15

set vlan 4 3/18

set port auxiliaryvlan 3/1-34 other

set port speed 3/16 100

set port duplex 3/16 full

set port name 3/16 Router-E0

set port name 3/17 PIX-Outside

set port name 3/18 WLAN

set udld enable 3/1-34

!

#switch port analyzer

set span 2/9 3/18 both inpkts disable learning enable create

end

Tyler Woods · ‎11-22-2013

I've got some captured! The any any on that ACL is increasing hits but not the one specific to 10.50.2.33.

Here is 40 of 1290 packets:

show capture outbound

1290 packets captured

1: 21:13:55.821032 10.10.10.2.22488 > 12.x.x.134.443: S 575840554:575840554(0) win 8192

2: 21:13:55.821353 10.10.10.2.31266 > 12.x.x.134.443: S 2938288887:2938288887(0) win 8192

3: 21:13:55.821887 12.x.x.134.443 > 10.10.10.2.22488: S 2477443592:2477443592(0) ack 575840555 win 8192

4: 21:13:55.821933 12.x.x.134.443 > 10.10.10.2.31266: S 1811689763:1811689763(0) ack 2938288888 win 8192

5: 21:13:55.822574 10.10.10.2.22488 > 12.x.x.134.443: . ack 2477443593 win 258

6: 21:13:55.822619 10.10.10.2.31266 > 12.x.x.134.443: . ack 1811689764 win 258

7: 21:13:55.823855 10.10.10.2.22488 > 12.x.x.134.443: P 575840555:575840692(137) ack 2477443593 win 258

8: 21:13:55.824527 10.10.10.2.31266 > 12.x.x.134.443: P 2938288888:2938289025(137) ack 1811689764 win 258

9: 21:13:55.824694 12.x.x.134.443 > 10.10.10.2.22488: P 2477443593:2477444419(826) ack 575840692 win 258

10: 21:13:55.825000 12.x.x.134.443 > 10.10.10.2.31266: P 1811689764:1811690590(826) ack 2938289025 win 258

11: 21:13:55.826037 10.10.10.2.22488 > 12.x.x.134.443: P 575840692:575841018(326) ack 2477444419 win 255

12: 21:13:55.826266 10.10.10.2.31266 > 12.x.x.134.443: P 2938289025:2938289351(326) ack 1811690590 win 255

13: 21:13:55.831988 12.x.x.134.443 > 10.10.10.2.22488: P 2477444419:2477444478(59) ack 575841018 win 257

14: 21:13:55.836107 12.x.x.134.443 > 10.10.10.2.31266: P 1811690590:1811690649(59) ack 2938289351 win 257

15: 21:13:55.879257 10.10.10.2.31266 > 12.x.x.134.443: F 2938289351:2938289351(0) ack 1811690649 win 255

16: 21:13:55.879471 10.10.10.2.22488 > 12.x.x.134.443: F 575841018:575841018(0) ack 2477444478 win 255

17: 21:13:55.879623 12.x.x.134.443 > 10.10.10.2.31266: R 1811690649:1811690649(0) ack 2938289352 win 0

18: 21:13:55.879806 12.x.x.134.443 > 10.10.10.2.22488: R 2477444478:2477444478(0) ack 575841019 win 0

19: 21:13:58.148414 10.10.10.2.23553 > 12.x.x.134.443: S 2031005821:2031005821(0) win 8192

20: 21:13:58.148689 10.10.10.2.43041 > 12.x.x.134.443: S 856547885:856547885(0) win 8192

21: 21:13:58.149207 12.x.x.134.443 > 10.10.10.2.23553: S 3634621310:3634621310(0) ack 2031005822 win 8192

22: 21:13:58.149269 12.x.x.134.443 > 10.10.10.2.43041: S 2543391081:2543391081(0) ack 856547886 win 8192

23: 21:13:58.149909 10.10.10.2.23553 > 12.x.x.134.443: . ack 3634621311 win 258

24: 21:13:58.149955 10.10.10.2.43041 > 12.x.x.134.443: . ack 2543391082 win 258

25: 21:13:58.150199 10.10.10.2.23553 > 12.x.x.134.443: P 2031005822:2031005991(169) ack 3634621311 win 258

26: 21:13:58.150260 10.10.10.2.43041 > 12.x.x.134.443: P 856547886:856548055(169) ack 2543391082 win 258

27: 21:13:58.150901 12.x.x.134.443 > 10.10.10.2.23553: P 3634621311:3634621456(145) ack 2031005991 win 258

28: 21:13:58.150962 12.x.x.134.443 > 10.10.10.2.43041: P 2543391082:2543391227(145) ack 856548055 win 258

29: 21:13:58.151862 10.10.10.2.43041 > 12.x.x.134.443: P 856548055:856548114(59) ack 2543391227 win 258

30: 21:13:58.151923 10.10.10.2.23553 > 12.x.x.134.443: P 2031005991:2031006050(59) ack 3634621456 win 258

31: 21:13:58.156196 10.10.10.2.23553 > 12.x.x.134.443: F 2031006050:2031006050(0) ack 3634621456 win 258

32: 21:13:58.156318 10.10.10.2.43041 > 12.x.x.134.443: F 856548114:856548114(0) ack 2543391227 win 258

33: 21:13:58.156486 12.x.x.134.443 > 10.10.10.2.23553: . ack 2031006051 win 258

34: 21:13:58.156531 12.x.x.134.443 > 10.10.10.2.23553: R 3634621456:3634621456(0) ack 2031006051 win 0

35: 21:13:58.156638 12.x.x.134.443 > 10.10.10.2.43041: . ack 856548115 win 258

36: 21:13:58.156669 12.x.x.134.443 > 10.10.10.2.43041: R 2543391227:2543391227(0) ack 856548115 win 0

37: 21:13:58.159095 10.10.10.2.18161 > 12.x.x.134.443: S 1650251089:1650251089(0) win 8192

38: 21:13:58.159537 12.x.x.134.443 > 10.10.10.2.18161: S 4231434596:4231434596(0) ack 1650251090 win 8192

39: 21:13:58.160224 10.10.10.2.18161 > 12.x.x.134.443: . ack 4231434597 win 258

40: 21:13:58.160559 10.10.10.2.18161 > 12.x.x.134.443: P 1650251090:1650251259(169) ack 4231434597 win 258

Tyler Woods · ‎11-21-2013

They tell me TCP.

Jon Marshall · ‎11-22-2013

Your packet capture shows port 443 so some server internally is connecting to 12.x.x.134 on port 443. I suspect this is what the config on the ASA is for ie.

global (dmz1) 1 interface

nat (inside) 1 10.50.2.0 255.255.255.0

the trouble is it's not taking the static translations we added or it doesn't seem to be. So we can't remove the above config but if you configure static NAT it should overriide the dynamic NAT but it obviously isn't. So i'm going to have a look at the NAT config on the ASA more closely.

Im not sure why your packet capture did not capture our specific packets. I don't need the 2980 config now but i do need the pix config and the route table.

Can you do another packet capture with an acl without the permit ip any any so we can get rid of all the noise. You don't need to apply the acl to an interface, it is just used for the packet capture.

Jon

Tyler Woods · ‎11-22-2013

I created a new ACL for the 10.50.2.33 traffice minus a ip any any statement. When I run the test it gets no hits but the old one does. So I removed the old and those hits go to the any any in the old ACL and no packets get captured.