cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4791
Views
0
Helpful
23
Replies

Urgent: ASA 5505 dropping port 443 traffic...no idea why.

brycekmartin
Level 1
Level 1

Ok, I am VERY green, so bear with me.  Networking is not my gig, but it has to be at this very moment.  We have an ASA 5505. Let me explain what's going on.

On Tuesday I wanted to be able to use the ASDM since there is less room for error.  But we only had a console set up.  So I ran the following commands...

in ($config) 

http      of course didn't do anything incomplete command

http 192.168.1.2 255.255.255.255        didn't anything incomplete command

http 192.168.200.254 255.255.255.255 inside 

http server enable

asdm image disk0:/asdm-524.bin

http 192.168.200.0 255.255.255.0 inside

http 192.168.200.254 255.255.255.255 inside

After doing this our CC processing stopped because the http server runs on port 443 so it was trapping all the secure traffic which we discovered the following morning.

So to fix it I entered this...

no http server enable

http 192.168.200.0 255.255.255.0 inside

http 192.168.1.2 255.255.255.255

http 192.168.200.254 255.255.255.255 inside

Everything started working after that.  Everything worked fine all of wednesday and thursday.  Then this morning it stopped processing again.  When I traceroute it gets to the machine that is hooked up to the console and stops.  So I'm guessing its actually getting to the ASA router and being swallowed up again...

What do I check?  What do you need to help me? 

Thanks in advance...

Bryce Martin

23 Replies 23

srereddy
Level 1
Level 1

All you are trying to achieve is to access your firewall using ASDM from inside network? Is it correct?

Could you provide more details on whats 'CC processing'? Who is 192.168.1.2? and who is 192.168.200.254?

Yes, I want to access ASDM from inside the network.  I thought that 192.168.1.2 was the default for ASDM?

192.168.200.254 is interface Vlan1 nameif inside security-level 100

Here is the running config...

ASA Version 7.2(4)

!

hostname CiscoASA

domain-name [redacted].com

enable password [redacted] encrypted

passwd [redacted] encrypted

names

!

interface Vlan1

description Behind Firewall

nameif inside

security-level 100

ip address 192.168.200.254 255.255.255.0

!

interface Vlan2

description Outside Firewall  -  Ethernet 0/0 is R20  -  Ethernet 0/2 is Outsid

e -  Ethernet 0/3 is Atlantic Zeiser

nameif outside

security-level 0

ip address 204.186.233.26 255.255.255.252

!

interface Vlan3

nameif Presses

security-level 50

!

interface Ethernet0/0

switchport access vlan 3

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 2

duplex full

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa724-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name [redacted].com

same-security-traffic permit intra-interface

access-list 101 extended permit ip host 204.186.124.2 10.1.1.0 255.255.255.0

access-list 101 extended permit ip 192.168.200.0 255.255.255.0 10.1.1.0 255.255.

255.0

access-list 101 extended permit ip any 10.1.1.0 255.255.255.0

access-list 102 extended permit ip any host 204.186.124.115

access-list 102 extended permit tcp any host 204.186.124.2 eq smtp

access-list 102 extended permit tcp any host 204.186.124.2 eq pop3

access-list 102 extended permit tcp any host 204.186.124.2 eq www

access-list 102 extended permit icmp any any echo-reply

access-list 102 extended permit tcp any host 204.186.124.113 eq www

access-list 102 extended permit tcp any host 204.186.124.114 eq www

access-list 102 extended permit tcp any host 204.186.124.114 eq 3011

access-list 102 extended permit tcp any host 204.186.124.113 eq 3011

access-list 102 extended permit udp any host 204.186.124.113 eq 3011

access-list 102 extended permit udp any host 204.186.124.114 eq 3011

access-list 102 extended permit tcp any host 192.168.200.200 eq www

access-list 102 extended permit udp any host 192.168.200.200 eq www

access-list 102 extended permit tcp any host 192.168.200.200 eq https

access-list 102 extended permit udp any host 192.168.200.200 eq 443

access-list 102 extended permit tcp any host 192.168.200.200 eq 500

access-list 102 extended permit udp any host 192.168.200.200 eq isakmp

access-list 102 extended permit tcp any host 192.168.200.200 eq 4500

access-list 102 extended permit udp any host 192.168.200.200 eq 4500

access-list 102 extended permit tcp any host 204.186.124.2 eq 587

access-list inside_access_in remark Facebook

access-list inside_access_in extended deny tcp any 69.63.176.0 255.255.240.0

access-list inside_access_in remark My space

access-list inside_access_in extended deny tcp any 216.178.32.0 255.255.240.0

access-list inside_access_in extended permit ip any any

access-list presses_in extended permit ip any any

access-list presses_in extended permit icmp any any

pager lines 24

logging timestamp

logging monitor debugging

logging trap debugging

logging history debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu Presses 1500

ip local pool clients 10.1.1.1-10.1.1.254

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 204.186.124.4-204.186.124.110 netmask 255.255.255.0

global (outside) 1 204.186.124.3 netmask 255.255.255.0

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 10.1.1.0 255.255.255.0

nat (Presses) 1 0.0.0.0 0.0.0.0

static (inside,outside) 204.186.124.2 192.168.200.202 netmask 255.255.255.255

static (inside,outside) 204.186.124.113 192.168.200.235 netmask 255.255.255.255

static (inside,outside) 204.186.124.114 192.168.200.236 netmask 255.255.255.255

static (Presses,outside) 204.186.124.115 192.168.100.253 netmask 255.255.255.255

static (inside,Presses) 192.168.200.201 192.168.200.201 netmask 255.255.255.255

static (inside,outside) 204.186.124.208 192.168.200.208 netmask 255.255.255.255

static (inside,outside) 204.186.124.209 192.168.200.209 netmask 255.255.255.255

static (inside,outside) 204.186.124.210 192.168.200.210 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group 102 in interface outside

access-group presses_in in interface Presses

route outside 0.0.0.0 0.0.0.0 204.186.233.25 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http 192.168.200.0 255.255.255.0 inside

http 192.168.200.254 255.255.255.255 inside

http 192.168.200.0 255.255.255.255 inside

http 192.168.1.2 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 inside

http 192.168.200.40 255.255.255.255 inside

no snmp-server location

no snmp-server contact

sysopt connection tcpmss 1300

sysopt noproxyarp inside

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map dynmap 20 set transform-set myset

crypto dynamic-map dynmap 40 set pfs

crypto dynamic-map dynmap 40 set transform-set ESP-3DES-SHA

crypto map mymap 20 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal  20

telnet timeout 30

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

ssh version 1

console timeout 0

group-policy vpnweb internal

group-policy vpnweb attributes

dns-server value 192.168.200.201 192.168.200.202

vpn-tunnel-protocol IPSec

default-domain value [redacted].local

group-policy vpn3000 internal

group-policy vpn3000 attributes

banner value Welcome to NTC's Virtual Private Network

dns-server value 192.168.200.201 192.168.200.203

vpn-idle-timeout 30

default-domain value [redacted].local

tunnel-group vpn3000 type ipsec-ra

tunnel-group vpn3000 general-attributes

address-pool clients

default-group-policy vpn3000

tunnel-group vpn3000 ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

tunnel-group vpnweb type ipsec-ra

tunnel-group vpnweb general-attributes

address-pool clients

default-group-policy vpnweb

tunnel-group vpnweb ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:[redacted]

: end

If you see the access-list 102 has entries for 192.168.200.200 which is the server that is trying to get out over 443.  But I can't traceroute out past the device from my PC either.  So something on the device has to be swallowing up the 443 traffic i presume?

Can you tell me what address you are typing on your browser to access the firewall & whats the IP of your host?

On 5505 - below is the default -

The inside interface (security level 100) is VLAN 1,  Ethernet 0/1 through Ethernet 0/7 are assigned to VLAN 1 and is enabled.  VLAN 1 has IP address 192.168.1.1. With this default if you want to access firewall using ASDM from a host on the inside  interface with an address of 192.168.1.2 enter the  following commands:

crypto key generate rsa modulus 1024

write mem

http server enable

http 192.168.1.2 255.255.255.255 inside

The url you should is http://192.168.1.1. To allow all users on the 192.168.2.0 network to access ASDM on the inside interface, enter the following command:  http 192.168.3.0 255.255.255.0 inside

As per your current config you have 192.168.200.254 on vlan 1 interface. Hence you should use this address as ASDM address in your browser.

That acl is applied on outside interface. Hence, doesnt affect your asdm access from inside interface. Pls look at my latest reply for mroe info and reply.

Well my machine address is 192.168.200.34

When I type https://192.168.200.254 it timesout.  This tells me  that the http server is not running, which it shouldn't since I turned  it off. 

This thing has been setup for a couple of years now and I have inherited this mess. 

So our Vlan1 is .200.254, not 1.1.

So how do I check to see what is blocking the 443 traffic? 

Well....i dont see 'http server enable' command in your running configuration.....you will not be able to access the ASDM. Can you enter that command and check that? if you think that the port 443 is not appropraite for you for any reason...use different port number by entering the command - http server enable ...say for example - http server enable 8901....and use https://192.168.200.254:8901 command to access ASA.

Ok, so that got the ASDM running.  Now, how do I see why port 443 is not going through??

From my PC which is 192.168.200.34 I can access https:// addresses

but our server on 192.168.200.200 cannot not.  This doesn't seem to make sense to me...

Is there something in ASDM that will allow me to see each request that comes through??

So from ASDM...

I pulled up the Packet Tracer.

Interface: outside

Source IP: 192.168.200.200    Destination IP: 129.33.160.xxx[redacted]

Source Port: 443                    Destination Port: 443

When I run it I get a result of (rpf-violated) Reverse-path verify failed

What does this mean?  Am I doing this right?  I tested the exact same settings over the Interface: inside and it worked with no problem.  But I figure with the destination being outside i should use that interface right?

Thanks

Bryce

You can setup a capture via CLI to 'see' these packets if they are getting to the ASA.

!SINGLE OUT THE TRAFFIC IN AN ACCESS LIST

access-list cap extended permit tcp host 192.168.200.200 any eq 443

!CAPTURE THE TRAFFIC USING THE CAPTURE FUNCTION

cap cap access-list cap

!VIEW THE CAPTURE AFTER GENERATING THE HTTPS TRAFFIC

sho cap cap

This will verify that the ASA is actually receiving the flow from the server. The config that you've posted above doesn't seem to block HTTPS inbound INSIDE interface but I may be missing something. Let us know if the ASA is receiving hits on this capture after you've generated traffic. If not, you have an issue before the ASA in your network.

Kind Regards,

Kevin

Please rate helpful posts and mark as answered once the issue is resolved so that others may easily find the solution.

Kind Regards, Kevin Sheahan, CCIE # 41349

How do I turn off the cap to stop collecting???? 

no cap cap access-list cap ???

No cap cap

Sent from Cisco Technical Support iPhone App

Kind Regards, Kevin Sheahan, CCIE # 41349

it showed nothing.  I added one for http to the access list and that didn't turn anything up either.  So something else must be blocking the traffic?

Glad to hear that you are able to use ASDM now. To monitor what types of network traffic has been allowed and denied you need to configure logging - go to Configuration > Device Management > Logging > Logging Setup

Once you configure logging go to - Monitoring > Logging > Real-Time Log Viewer to monitor the realtime logs.

About your server on 192.168.200.200, you said you are not able to  access https from it. Could you tell me where is your destination https  server located? is that outside of your network?

HTH.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco