cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4230
Views
0
Helpful
23
Replies

Urgent: ASA 5505 dropping port 443 traffic...no idea why.

brycekmartin
Beginner
Beginner

Ok, I am VERY green, so bear with me.  Networking is not my gig, but it has to be at this very moment.  We have an ASA 5505. Let me explain what's going on.

On Tuesday I wanted to be able to use the ASDM since there is less room for error.  But we only had a console set up.  So I ran the following commands...

in ($config) 

http      of course didn't do anything incomplete command

http 192.168.1.2 255.255.255.255        didn't anything incomplete command

http 192.168.200.254 255.255.255.255 inside 

http server enable

asdm image disk0:/asdm-524.bin

http 192.168.200.0 255.255.255.0 inside

http 192.168.200.254 255.255.255.255 inside

After doing this our CC processing stopped because the http server runs on port 443 so it was trapping all the secure traffic which we discovered the following morning.

So to fix it I entered this...

no http server enable

http 192.168.200.0 255.255.255.0 inside

http 192.168.1.2 255.255.255.255

http 192.168.200.254 255.255.255.255 inside

Everything started working after that.  Everything worked fine all of wednesday and thursday.  Then this morning it stopped processing again.  When I traceroute it gets to the machine that is hooked up to the console and stops.  So I'm guessing its actually getting to the ASA router and being swallowed up again...

What do I check?  What do you need to help me? 

Thanks in advance...

Bryce Martin

23 Replies 23

Yes, the address is outside the network.  I can ping outside the network, but I can't traceroute from 192.168.200.200 on 443.

Now, I did the cap as instructed above.  I even added an entry for http along with 443.  I pinged mail.google.com successfully (obv outside the network), but no packeds show up in the cap.  So is the cap not setup right?  Or what could be going on?

from my PC command line I can ping mail.google.com but I can't traceroute mail.google.com.  Traceroute goes to our DNS server and then dies.  But from my browser I have no problem checking my gmail account... so something is tweaked here and I'm not sure what it could be....

seeing that my PC is on the same Vlan as the Server I thought it relevant... yes???

So here is the latest.  I did this...

no http server enable 8901

- which obv shut down the server.

Then everything worked just fine!  What the heck?!

The thing wasn't started to begin with and was blocking the traffic.  I enable the server - not even on the 443 port, and then turn it off and everything works.

I AM SO CONFUSED!  Can anyone shed any light on this???

Thats strange. The http server enalble has nothing to do with the https traffic passing thorugh the firewall to outisde world.

Let me summarize - when you have 'http server enable', the FW blocks the https (443) traffic which is going outside and it works fine after removing 'http server enable'. Rt?

Will take a close look at your acl's and NAT. Meanwhile, Could you paste the - show conn and show xlate

Your summarization would be correct.  Makes no sense to me.

The show conn is REALLY long.  If you want it I'll take the time to copy out.

Here is the show xlate

Global 192.168.200.201 Local 192.168.200.201

Global 204.186.124.2 Local 192.168.200.202

Global 204.186.124.113 Local 192.168.200.235

Global 204.186.124.114 Local 192.168.200.236

Global 204.186.124.115 Local 192.168.100.253

Global 204.186.124.208 Local 192.168.200.208

Global 204.186.124.209 Local 192.168.200.209

Global 204.186.124.210 Local 192.168.200.210

Global 204.186.124.56 Local 10.1.1.15

Global 204.186.124.5 Local 192.168.200.26

Global 204.186.124.42 Local 192.168.200.90

Global 204.186.124.35 Local 192.168.200.22

Global 204.186.124.38 Local 192.168.200.75

Global 204.186.124.31 Local 192.168.200.64

Global 204.186.124.82 Local 192.168.200.48

Global 204.186.124.15 Local 192.168.200.54

Global 204.186.124.66 Local 192.168.200.67

Global 204.186.124.72 Local 10.250.11.224

Global 204.186.124.68 Local 192.168.200.61

Global 204.186.124.40 Local 192.168.200.37

Global 204.186.124.36 Local 192.168.200.45

Global 204.186.124.44 Local 192.168.200.83

Global 204.186.124.71 Local 192.168.200.57

Global 204.186.124.9 Local 192.168.200.65

Global 204.186.124.62 Local 192.168.200.32

Global 204.186.124.24 Local 192.168.200.34

Global 204.186.124.33 Local 192.168.200.204

Global 204.186.124.21 Local 192.168.200.25

Global 204.186.124.30 Local 192.168.200.70

Global 204.186.124.13 Local 192.168.200.49

Global 204.186.124.32 Local 192.168.200.73

Global 204.186.124.12 Local 192.168.200.29

Global 204.186.124.70 Local 192.168.200.200

Global 204.186.124.67 Local 192.168.200.46

Global 204.186.124.39 Local 192.168.200.50

Global 204.186.124.47 Local 192.168.200.23

Global 204.186.124.53 Local 192.168.200.112

Global 204.186.124.48 Local 192.168.200.47

Global 204.186.124.59 Local 192.168.200.31

Global 204.186.124.7 Local 192.168.200.39

Global 204.186.124.52 Local 192.168.200.74

Global 204.186.124.73 Local 192.168.200.86

Global 204.186.124.22 Local 192.168.200.238

Global 204.186.124.27 Local 192.168.200.38

Global 204.186.124.77 Local 192.168.200.251

Global 204.186.124.45 Local 192.168.200.97

Global 204.186.124.41 Local 192.168.200.68

Global 204.186.124.23 Local 192.168.200.91

Global 204.186.124.25 Local 192.168.200.77

Global 204.186.124.19 Local 192.168.200.99

Global 204.186.124.51 Local 192.168.200.28

Global 204.186.124.16 Local 192.168.200.41

Global 204.186.124.65 Local 192.168.200.115

Global 204.186.124.57 Local 192.168.200.114

Global 204.186.124.17 Local 192.168.200.95

Global 204.186.124.29 Local 192.168.200.118

Global 204.186.124.69 Local 10.252.215.120

Global 204.186.124.34 Local 192.168.200.27

Global 204.186.124.8 Local 192.168.200.201

Global 204.186.124.37 Local 192.168.200.111

Global 204.186.124.54 Local 192.168.200.101

i dont see any issue with configs. Could you put the http server back and execute - clear conn and clear xlate. Post the result. Also, attach the show logg

That will drop all current connections and xlations.  Anyone using the network would get dropped?  Is this something that should be done in off hours?

Yes, there will be a disruption. I thought, its a nonprod environment.

well this magically popped up again today.  have no idea why.  the http sever is not running on the device.  The show config proves its not running.  I can't figure out why this thing is blocking https from our 1 server.  The server is in the access list specifically with

access-list 102 extended permit tcp any host 192.168.200.200 eq https

access-list 102 extended permit udp any host 192.168.200.200 eq 443

There are other permits in there as well.  There are not any deny entries.... Can anyone think of a reason why this would be?

Here is the latest running config...

ASA Version 7.2(4)

!

hostname CiscoASA

domain-name ****[redacted]****.com

enable password ****[redacted]**** encrypted

passwd ****[redacted]**** encrypted

names

!

interface Vlan1

description Behind Firewall

nameif inside

security-level 100

ip address 192.168.200.254 255.255.255.0

!

interface Vlan2

description Outside Firewall  -  Ethernet 0/0 is R20  -  Ethernet 0/2 is Outsid

e -  Ethernet 0/3 is Atlantic Zeiser

nameif outside

security-level 0

ip address 204.186.233.26 255.255.255.252

!

interface Vlan3

nameif Presses

security-level 50

ip address 192.168.100.254 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 3

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 2

duplex full

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa724-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name ****[redacted]****.com

same-security-traffic permit intra-interface

access-list 101 extended permit ip host 204.186.124.2 10.1.1.0 255.255.255.0

access-list 101 extended permit ip 192.168.200.0 255.255.255.0 10.1.1.0 255.255.

255.0

access-list 101 extended permit ip any 10.1.1.0 255.255.255.0

access-list 102 extended permit ip any host 204.186.124.115

access-list 102 extended permit tcp any host 204.186.124.2 eq smtp

access-list 102 extended permit tcp any host 204.186.124.2 eq pop3

access-list 102 extended permit tcp any host 204.186.124.2 eq www

access-list 102 extended permit icmp any any echo-reply

access-list 102 extended permit tcp any host 204.186.124.113 eq www

access-list 102 extended permit tcp any host 204.186.124.114 eq www

access-list 102 extended permit tcp any host 204.186.124.114 eq 3011

access-list 102 extended permit tcp any host 204.186.124.113 eq 3011

access-list 102 extended permit udp any host 204.186.124.113 eq 3011

access-list 102 extended permit udp any host 204.186.124.114 eq 3011

access-list 102 extended permit tcp any host 192.168.200.200 eq www

access-list 102 extended permit udp any host 192.168.200.200 eq www

access-list 102 extended permit tcp any host 192.168.200.200 eq https

access-list 102 extended permit udp any host 192.168.200.200 eq 443

access-list 102 extended permit tcp any host 192.168.200.200 eq 500

access-list 102 extended permit udp any host 192.168.200.200 eq isakmp

access-list 102 extended permit tcp any host 192.168.200.200 eq 4500

access-list 102 extended permit udp any host 192.168.200.200 eq 4500

access-list 102 extended permit tcp any host 204.186.124.2 eq 587

access-list inside_access_in remark Facebook

access-list inside_access_in extended deny tcp any 69.63.176.0 255.255.240.0

access-list inside_access_in remark My space

access-list inside_access_in extended deny tcp any 216.178.32.0 255.255.240.0

access-list inside_access_in extended permit ip any any

access-list presses_in extended permit ip any any

access-list presses_in extended permit icmp any any

access-list cap extended permit tcp host 192.168.200.200 any eq https

access-list cap extended permit tcp host 192.168.200.200 any eq www

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging trap debugging

logging history debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu Presses 1500

ip local pool clients 10.1.1.1-10.1.1.254

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

asdm location 216.178.32.0 255.255.240.0 inside

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 204.186.124.4-204.186.124.110 netmask 255.255.255.0

global (outside) 1 204.186.124.3 netmask 255.255.255.0

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 10.1.1.0 255.255.255.0

nat (Presses) 1 0.0.0.0 0.0.0.0

static (inside,outside) 204.186.124.2 192.168.200.202 netmask 255.255.255.255

static (inside,outside) 204.186.124.113 192.168.200.235 netmask 255.255.255.255

static (inside,outside) 204.186.124.114 192.168.200.236 netmask 255.255.255.255

static (Presses,outside) 204.186.124.115 192.168.100.253 netmask 255.255.255.255

static (inside,Presses) 192.168.200.201 192.168.200.201 netmask 255.255.255.255

static (inside,outside) 204.186.124.208 192.168.200.208 netmask 255.255.255.255

static (inside,outside) 204.186.124.209 192.168.200.209 netmask 255.255.255.255

static (inside,outside) 204.186.124.210 192.168.200.210 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group 102 in interface outside

access-group presses_in in interface Presses

route outside 0.0.0.0 0.0.0.0 204.186.233.25 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http 192.168.200.0 255.255.255.0 inside

http 192.168.200.254 255.255.255.255 inside

http 192.168.200.0 255.255.255.255 inside

http 192.168.1.2 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 inside

http 192.168.200.40 255.255.255.255 inside

no snmp-server location

no snmp-server contact

sysopt connection tcpmss 1300

sysopt noproxyarp inside

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map dynmap 20 set transform-set myset

crypto dynamic-map dynmap 40 set pfs

crypto dynamic-map dynmap 40 set transform-set ESP-3DES-SHA

crypto map mymap 20 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal  20

telnet timeout 30

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

ssh version 1

console timeout 0

group-policy vpnweb internal

group-policy vpnweb attributes

dns-server value 192.168.200.201 192.168.200.202

vpn-tunnel-protocol IPSec

default-domain value ****[redacted]****.local

group-policy vpn3000 internal

group-policy vpn3000 attributes

banner value Welcome to ****[redacted]**** Virtual Private Network

dns-server value 192.168.200.201 192.168.200.203

vpn-idle-timeout 30

default-domain value ****[redacted]****.local

tunnel-group vpn3000 type ipsec-ra

tunnel-group vpn3000 general-attributes

address-pool clients

default-group-policy vpn3000

tunnel-group vpn3000 ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

tunnel-group vpnweb type ipsec-ra

tunnel-group vpnweb general-attributes

address-pool clients

default-group-policy vpnweb

tunnel-group vpnweb ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:****[redacted]****

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers