05-11-2012 07:07 AM - edited 03-07-2019 06:38 AM
Ok, I am VERY green, so bear with me. Networking is not my gig, but it has to be at this very moment. We have an ASA 5505. Let me explain what's going on.
On Tuesday I wanted to be able to use the ASDM since there is less room for error. But we only had a console set up. So I ran the following commands...
in ($config)
http of course didn't do anything incomplete command
http 192.168.1.2 255.255.255.255 didn't anything incomplete command
http 192.168.200.254 255.255.255.255 inside
http server enable
asdm image disk0:/asdm-524.bin
http 192.168.200.0 255.255.255.0 inside
http 192.168.200.254 255.255.255.255 inside
After doing this our CC processing stopped because the http server runs on port 443 so it was trapping all the secure traffic which we discovered the following morning.
So to fix it I entered this...
no http server enable
http 192.168.200.0 255.255.255.0 inside
http 192.168.1.2 255.255.255.255
http 192.168.200.254 255.255.255.255 inside
Everything started working after that. Everything worked fine all of wednesday and thursday. Then this morning it stopped processing again. When I traceroute it gets to the machine that is hooked up to the console and stops. So I'm guessing its actually getting to the ASA router and being swallowed up again...
What do I check? What do you need to help me?
Thanks in advance...
Bryce Martin
05-11-2012 07:28 AM
All you are trying to achieve is to access your firewall using ASDM from inside network? Is it correct?
Could you provide more details on whats 'CC processing'? Who is 192.168.1.2? and who is 192.168.200.254?
05-11-2012 07:39 AM
Yes, I want to access ASDM from inside the network. I thought that 192.168.1.2 was the default for ASDM?
192.168.200.254 is interface Vlan1 nameif inside security-level 100
Here is the running config...
ASA Version 7.2(4)
!
hostname CiscoASA
domain-name [redacted].com
enable password [redacted] encrypted
passwd [redacted] encrypted
names
!
interface Vlan1
description Behind Firewall
nameif inside
security-level 100
ip address 192.168.200.254 255.255.255.0
!
interface Vlan2
description Outside Firewall - Ethernet 0/0 is R20 - Ethernet 0/2 is Outsid
e - Ethernet 0/3 is Atlantic Zeiser
nameif outside
security-level 0
ip address 204.186.233.26 255.255.255.252
!
interface Vlan3
nameif Presses
security-level 50
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
duplex full
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name [redacted].com
same-security-traffic permit intra-interface
access-list 101 extended permit ip host 204.186.124.2 10.1.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.200.0 255.255.255.0 10.1.1.0 255.255.
255.0
access-list 101 extended permit ip any 10.1.1.0 255.255.255.0
access-list 102 extended permit ip any host 204.186.124.115
access-list 102 extended permit tcp any host 204.186.124.2 eq smtp
access-list 102 extended permit tcp any host 204.186.124.2 eq pop3
access-list 102 extended permit tcp any host 204.186.124.2 eq www
access-list 102 extended permit icmp any any echo-reply
access-list 102 extended permit tcp any host 204.186.124.113 eq www
access-list 102 extended permit tcp any host 204.186.124.114 eq www
access-list 102 extended permit tcp any host 204.186.124.114 eq 3011
access-list 102 extended permit tcp any host 204.186.124.113 eq 3011
access-list 102 extended permit udp any host 204.186.124.113 eq 3011
access-list 102 extended permit udp any host 204.186.124.114 eq 3011
access-list 102 extended permit tcp any host 192.168.200.200 eq www
access-list 102 extended permit udp any host 192.168.200.200 eq www
access-list 102 extended permit tcp any host 192.168.200.200 eq https
access-list 102 extended permit udp any host 192.168.200.200 eq 443
access-list 102 extended permit tcp any host 192.168.200.200 eq 500
access-list 102 extended permit udp any host 192.168.200.200 eq isakmp
access-list 102 extended permit tcp any host 192.168.200.200 eq 4500
access-list 102 extended permit udp any host 192.168.200.200 eq 4500
access-list 102 extended permit tcp any host 204.186.124.2 eq 587
access-list inside_access_in remark Facebook
access-list inside_access_in extended deny tcp any 69.63.176.0 255.255.240.0
access-list inside_access_in remark My space
access-list inside_access_in extended deny tcp any 216.178.32.0 255.255.240.0
access-list inside_access_in extended permit ip any any
access-list presses_in extended permit ip any any
access-list presses_in extended permit icmp any any
pager lines 24
logging timestamp
logging monitor debugging
logging trap debugging
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Presses 1500
ip local pool clients 10.1.1.1-10.1.1.254
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 204.186.124.4-204.186.124.110 netmask 255.255.255.0
global (outside) 1 204.186.124.3 netmask 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 10.1.1.0 255.255.255.0
nat (Presses) 1 0.0.0.0 0.0.0.0
static (inside,outside) 204.186.124.2 192.168.200.202 netmask 255.255.255.255
static (inside,outside) 204.186.124.113 192.168.200.235 netmask 255.255.255.255
static (inside,outside) 204.186.124.114 192.168.200.236 netmask 255.255.255.255
static (Presses,outside) 204.186.124.115 192.168.100.253 netmask 255.255.255.255
static (inside,Presses) 192.168.200.201 192.168.200.201 netmask 255.255.255.255
static (inside,outside) 204.186.124.208 192.168.200.208 netmask 255.255.255.255
static (inside,outside) 204.186.124.209 192.168.200.209 netmask 255.255.255.255
static (inside,outside) 204.186.124.210 192.168.200.210 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group 102 in interface outside
access-group presses_in in interface Presses
route outside 0.0.0.0 0.0.0.0 204.186.233.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http 192.168.200.0 255.255.255.0 inside
http 192.168.200.254 255.255.255.255 inside
http 192.168.200.0 255.255.255.255 inside
http 192.168.1.2 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.200.40 255.255.255.255 inside
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 1300
sysopt noproxyarp inside
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set myset
crypto dynamic-map dynmap 40 set pfs
crypto dynamic-map dynmap 40 set transform-set ESP-3DES-SHA
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 1
console timeout 0
group-policy vpnweb internal
group-policy vpnweb attributes
dns-server value 192.168.200.201 192.168.200.202
vpn-tunnel-protocol IPSec
default-domain value [redacted].local
group-policy vpn3000 internal
group-policy vpn3000 attributes
banner value Welcome to NTC's Virtual Private Network
dns-server value 192.168.200.201 192.168.200.203
vpn-idle-timeout 30
default-domain value [redacted].local
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
address-pool clients
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
tunnel-group vpnweb type ipsec-ra
tunnel-group vpnweb general-attributes
address-pool clients
default-group-policy vpnweb
tunnel-group vpnweb ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:[redacted]
: end
05-11-2012 08:29 AM
If you see the access-list 102 has entries for 192.168.200.200 which is the server that is trying to get out over 443. But I can't traceroute out past the device from my PC either. So something on the device has to be swallowing up the 443 traffic i presume?
05-11-2012 08:31 AM
Can you tell me what address you are typing on your browser to access the firewall & whats the IP of your host?
On 5505 - below is the default -
The inside interface (security level 100) is VLAN 1, Ethernet 0/1 through Ethernet 0/7 are assigned to VLAN 1 and is enabled. VLAN 1 has IP address 192.168.1.1. With this default if you want to access firewall using ASDM from a host on the inside interface with an address of 192.168.1.2 enter the following commands:
crypto key generate rsa modulus 1024
write mem
http server enable
http 192.168.1.2 255.255.255.255 inside
The url you should is http://192.168.1.1. To allow all users on the 192.168.2.0 network to access ASDM on the inside interface, enter the following command: http 192.168.3.0 255.255.255.0 inside
As per your current config you have 192.168.200.254 on vlan 1 interface. Hence you should use this address as ASDM address in your browser.
05-11-2012 08:40 AM
That acl is applied on outside interface. Hence, doesnt affect your asdm access from inside interface. Pls look at my latest reply for mroe info and reply.
05-11-2012 08:43 AM
Well my machine address is 192.168.200.34
When I type https://192.168.200.254 it timesout. This tells me that the http server is not running, which it shouldn't since I turned it off.
This thing has been setup for a couple of years now and I have inherited this mess.
So our Vlan1 is .200.254, not 1.1.
So how do I check to see what is blocking the 443 traffic?
05-11-2012 08:56 AM
Well....i dont see 'http server enable' command in your running configuration.....you will not be able to access the ASDM. Can you enter that command and check that? if you think that the port 443 is not appropraite for you for any reason...use different port number by entering the command - http server enable
05-11-2012 09:02 AM
Ok, so that got the ASDM running. Now, how do I see why port 443 is not going through??
From my PC which is 192.168.200.34 I can access https:// addresses
but our server on 192.168.200.200 cannot not. This doesn't seem to make sense to me...
Is there something in ASDM that will allow me to see each request that comes through??
05-11-2012 09:16 AM
So from ASDM...
I pulled up the Packet Tracer.
Interface: outside
Source IP: 192.168.200.200 Destination IP: 129.33.160.xxx[redacted]
Source Port: 443 Destination Port: 443
When I run it I get a result of (rpf-violated) Reverse-path verify failed
What does this mean? Am I doing this right? I tested the exact same settings over the Interface: inside and it worked with no problem. But I figure with the destination being outside i should use that interface right?
Thanks
Bryce
05-11-2012 09:31 AM
You can setup a capture via CLI to 'see' these packets if they are getting to the ASA.
!SINGLE OUT THE TRAFFIC IN AN ACCESS LIST
access-list cap extended permit tcp host 192.168.200.200 any eq 443
!CAPTURE THE TRAFFIC USING THE CAPTURE FUNCTION
cap cap access-list cap
!VIEW THE CAPTURE AFTER GENERATING THE HTTPS TRAFFIC
sho cap cap
This will verify that the ASA is actually receiving the flow from the server. The config that you've posted above doesn't seem to block HTTPS inbound INSIDE interface but I may be missing something. Let us know if the ASA is receiving hits on this capture after you've generated traffic. If not, you have an issue before the ASA in your network.
Kind Regards,
Kevin
Please rate helpful posts and mark as answered once the issue is resolved so that others may easily find the solution.
05-11-2012 09:36 AM
How do I turn off the cap to stop collecting????
no cap cap access-list cap ???
05-11-2012 09:37 AM
No cap cap
Sent from Cisco Technical Support iPhone App
05-11-2012 09:47 AM
it showed nothing. I added one for http to the access list and that didn't turn anything up either. So something else must be blocking the traffic?
05-11-2012 09:47 AM
Glad to hear that you are able to use ASDM now. To monitor what types of network traffic has been allowed and denied you need to configure logging - go to Configuration > Device Management > Logging > Logging Setup
Once you configure logging go to - Monitoring > Logging > Real-Time Log Viewer to monitor the realtime logs.
About your server on 192.168.200.200, you said you are not able to access https from it. Could you tell me where is your destination https server located? is that outside of your network?
HTH.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide