05-11-2012 07:07 AM - edited 03-07-2019 06:38 AM
Ok, I am VERY green, so bear with me. Networking is not my gig, but it has to be at this very moment. We have an ASA 5505. Let me explain what's going on.
On Tuesday I wanted to be able to use the ASDM since there is less room for error. But we only had a console set up. So I ran the following commands...
in ($config)
http of course didn't do anything incomplete command
http 192.168.1.2 255.255.255.255 didn't anything incomplete command
http 192.168.200.254 255.255.255.255 inside
http server enable
asdm image disk0:/asdm-524.bin
http 192.168.200.0 255.255.255.0 inside
http 192.168.200.254 255.255.255.255 inside
After doing this our CC processing stopped because the http server runs on port 443 so it was trapping all the secure traffic which we discovered the following morning.
So to fix it I entered this...
no http server enable
http 192.168.200.0 255.255.255.0 inside
http 192.168.1.2 255.255.255.255
http 192.168.200.254 255.255.255.255 inside
Everything started working after that. Everything worked fine all of wednesday and thursday. Then this morning it stopped processing again. When I traceroute it gets to the machine that is hooked up to the console and stops. So I'm guessing its actually getting to the ASA router and being swallowed up again...
What do I check? What do you need to help me?
Thanks in advance...
Bryce Martin
05-11-2012 09:51 AM
Yes, the address is outside the network. I can ping outside the network, but I can't traceroute from 192.168.200.200 on 443.
Now, I did the cap as instructed above. I even added an entry for http along with 443. I pinged mail.google.com successfully (obv outside the network), but no packeds show up in the cap. So is the cap not setup right? Or what could be going on?
05-11-2012 09:54 AM
from my PC command line I can ping mail.google.com but I can't traceroute mail.google.com. Traceroute goes to our DNS server and then dies. But from my browser I have no problem checking my gmail account... so something is tweaked here and I'm not sure what it could be....
seeing that my PC is on the same Vlan as the Server I thought it relevant... yes???
05-11-2012 10:48 AM
So here is the latest. I did this...
no http server enable 8901
- which obv shut down the server.
Then everything worked just fine! What the heck?!
The thing wasn't started to begin with and was blocking the traffic. I enable the server - not even on the 443 port, and then turn it off and everything works.
I AM SO CONFUSED! Can anyone shed any light on this???
05-11-2012 11:27 AM
Thats strange. The http server enalble has nothing to do with the https traffic passing thorugh the firewall to outisde world.
Let me summarize - when you have 'http server enable', the FW blocks the https (443) traffic which is going outside and it works fine after removing 'http server enable'. Rt?
Will take a close look at your acl's and NAT. Meanwhile, Could you paste the - show conn and show xlate
05-11-2012 12:09 PM
Your summarization would be correct. Makes no sense to me.
The show conn is REALLY long. If you want it I'll take the time to copy out.
Here is the show xlate
Global 192.168.200.201 Local 192.168.200.201
Global 204.186.124.2 Local 192.168.200.202
Global 204.186.124.113 Local 192.168.200.235
Global 204.186.124.114 Local 192.168.200.236
Global 204.186.124.115 Local 192.168.100.253
Global 204.186.124.208 Local 192.168.200.208
Global 204.186.124.209 Local 192.168.200.209
Global 204.186.124.210 Local 192.168.200.210
Global 204.186.124.56 Local 10.1.1.15
Global 204.186.124.5 Local 192.168.200.26
Global 204.186.124.42 Local 192.168.200.90
Global 204.186.124.35 Local 192.168.200.22
Global 204.186.124.38 Local 192.168.200.75
Global 204.186.124.31 Local 192.168.200.64
Global 204.186.124.82 Local 192.168.200.48
Global 204.186.124.15 Local 192.168.200.54
Global 204.186.124.66 Local 192.168.200.67
Global 204.186.124.72 Local 10.250.11.224
Global 204.186.124.68 Local 192.168.200.61
Global 204.186.124.40 Local 192.168.200.37
Global 204.186.124.36 Local 192.168.200.45
Global 204.186.124.44 Local 192.168.200.83
Global 204.186.124.71 Local 192.168.200.57
Global 204.186.124.9 Local 192.168.200.65
Global 204.186.124.62 Local 192.168.200.32
Global 204.186.124.24 Local 192.168.200.34
Global 204.186.124.33 Local 192.168.200.204
Global 204.186.124.21 Local 192.168.200.25
Global 204.186.124.30 Local 192.168.200.70
Global 204.186.124.13 Local 192.168.200.49
Global 204.186.124.32 Local 192.168.200.73
Global 204.186.124.12 Local 192.168.200.29
Global 204.186.124.70 Local 192.168.200.200
Global 204.186.124.67 Local 192.168.200.46
Global 204.186.124.39 Local 192.168.200.50
Global 204.186.124.47 Local 192.168.200.23
Global 204.186.124.53 Local 192.168.200.112
Global 204.186.124.48 Local 192.168.200.47
Global 204.186.124.59 Local 192.168.200.31
Global 204.186.124.7 Local 192.168.200.39
Global 204.186.124.52 Local 192.168.200.74
Global 204.186.124.73 Local 192.168.200.86
Global 204.186.124.22 Local 192.168.200.238
Global 204.186.124.27 Local 192.168.200.38
Global 204.186.124.77 Local 192.168.200.251
Global 204.186.124.45 Local 192.168.200.97
Global 204.186.124.41 Local 192.168.200.68
Global 204.186.124.23 Local 192.168.200.91
Global 204.186.124.25 Local 192.168.200.77
Global 204.186.124.19 Local 192.168.200.99
Global 204.186.124.51 Local 192.168.200.28
Global 204.186.124.16 Local 192.168.200.41
Global 204.186.124.65 Local 192.168.200.115
Global 204.186.124.57 Local 192.168.200.114
Global 204.186.124.17 Local 192.168.200.95
Global 204.186.124.29 Local 192.168.200.118
Global 204.186.124.69 Local 10.252.215.120
Global 204.186.124.34 Local 192.168.200.27
Global 204.186.124.8 Local 192.168.200.201
Global 204.186.124.37 Local 192.168.200.111
Global 204.186.124.54 Local 192.168.200.101
05-11-2012 12:17 PM
i dont see any issue with configs. Could you put the http server back and execute - clear conn and clear xlate. Post the result. Also, attach the show logg
05-11-2012 12:51 PM
That will drop all current connections and xlations. Anyone using the network would get dropped? Is this something that should be done in off hours?
05-11-2012 12:58 PM
Yes, there will be a disruption. I thought, its a nonprod environment.
05-16-2012 07:13 AM
well this magically popped up again today. have no idea why. the http sever is not running on the device. The show config proves its not running. I can't figure out why this thing is blocking https from our 1 server. The server is in the access list specifically with
access-list 102 extended permit tcp any host 192.168.200.200 eq https
access-list 102 extended permit udp any host 192.168.200.200 eq 443
There are other permits in there as well. There are not any deny entries.... Can anyone think of a reason why this would be?
Here is the latest running config...
ASA Version 7.2(4)
!
hostname CiscoASA
domain-name ****[redacted]****.com
enable password ****[redacted]**** encrypted
passwd ****[redacted]**** encrypted
names
!
interface Vlan1
description Behind Firewall
nameif inside
security-level 100
ip address 192.168.200.254 255.255.255.0
!
interface Vlan2
description Outside Firewall - Ethernet 0/0 is R20 - Ethernet 0/2 is Outsid
e - Ethernet 0/3 is Atlantic Zeiser
nameif outside
security-level 0
ip address 204.186.233.26 255.255.255.252
!
interface Vlan3
nameif Presses
security-level 50
ip address 192.168.100.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
duplex full
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ****[redacted]****.com
same-security-traffic permit intra-interface
access-list 101 extended permit ip host 204.186.124.2 10.1.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.200.0 255.255.255.0 10.1.1.0 255.255.
255.0
access-list 101 extended permit ip any 10.1.1.0 255.255.255.0
access-list 102 extended permit ip any host 204.186.124.115
access-list 102 extended permit tcp any host 204.186.124.2 eq smtp
access-list 102 extended permit tcp any host 204.186.124.2 eq pop3
access-list 102 extended permit tcp any host 204.186.124.2 eq www
access-list 102 extended permit icmp any any echo-reply
access-list 102 extended permit tcp any host 204.186.124.113 eq www
access-list 102 extended permit tcp any host 204.186.124.114 eq www
access-list 102 extended permit tcp any host 204.186.124.114 eq 3011
access-list 102 extended permit tcp any host 204.186.124.113 eq 3011
access-list 102 extended permit udp any host 204.186.124.113 eq 3011
access-list 102 extended permit udp any host 204.186.124.114 eq 3011
access-list 102 extended permit tcp any host 192.168.200.200 eq www
access-list 102 extended permit udp any host 192.168.200.200 eq www
access-list 102 extended permit tcp any host 192.168.200.200 eq https
access-list 102 extended permit udp any host 192.168.200.200 eq 443
access-list 102 extended permit tcp any host 192.168.200.200 eq 500
access-list 102 extended permit udp any host 192.168.200.200 eq isakmp
access-list 102 extended permit tcp any host 192.168.200.200 eq 4500
access-list 102 extended permit udp any host 192.168.200.200 eq 4500
access-list 102 extended permit tcp any host 204.186.124.2 eq 587
access-list inside_access_in remark Facebook
access-list inside_access_in extended deny tcp any 69.63.176.0 255.255.240.0
access-list inside_access_in remark My space
access-list inside_access_in extended deny tcp any 216.178.32.0 255.255.240.0
access-list inside_access_in extended permit ip any any
access-list presses_in extended permit ip any any
access-list presses_in extended permit icmp any any
access-list cap extended permit tcp host 192.168.200.200 any eq https
access-list cap extended permit tcp host 192.168.200.200 any eq www
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging trap debugging
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Presses 1500
ip local pool clients 10.1.1.1-10.1.1.254
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm location 216.178.32.0 255.255.240.0 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 204.186.124.4-204.186.124.110 netmask 255.255.255.0
global (outside) 1 204.186.124.3 netmask 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 10.1.1.0 255.255.255.0
nat (Presses) 1 0.0.0.0 0.0.0.0
static (inside,outside) 204.186.124.2 192.168.200.202 netmask 255.255.255.255
static (inside,outside) 204.186.124.113 192.168.200.235 netmask 255.255.255.255
static (inside,outside) 204.186.124.114 192.168.200.236 netmask 255.255.255.255
static (Presses,outside) 204.186.124.115 192.168.100.253 netmask 255.255.255.255
static (inside,Presses) 192.168.200.201 192.168.200.201 netmask 255.255.255.255
static (inside,outside) 204.186.124.208 192.168.200.208 netmask 255.255.255.255
static (inside,outside) 204.186.124.209 192.168.200.209 netmask 255.255.255.255
static (inside,outside) 204.186.124.210 192.168.200.210 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group 102 in interface outside
access-group presses_in in interface Presses
route outside 0.0.0.0 0.0.0.0 204.186.233.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http 192.168.200.0 255.255.255.0 inside
http 192.168.200.254 255.255.255.255 inside
http 192.168.200.0 255.255.255.255 inside
http 192.168.1.2 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.200.40 255.255.255.255 inside
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 1300
sysopt noproxyarp inside
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set myset
crypto dynamic-map dynmap 40 set pfs
crypto dynamic-map dynmap 40 set transform-set ESP-3DES-SHA
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 1
console timeout 0
group-policy vpnweb internal
group-policy vpnweb attributes
dns-server value 192.168.200.201 192.168.200.202
vpn-tunnel-protocol IPSec
default-domain value ****[redacted]****.local
group-policy vpn3000 internal
group-policy vpn3000 attributes
banner value Welcome to ****[redacted]**** Virtual Private Network
dns-server value 192.168.200.201 192.168.200.203
vpn-idle-timeout 30
default-domain value ****[redacted]****.local
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
address-pool clients
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
tunnel-group vpnweb type ipsec-ra
tunnel-group vpnweb general-attributes
address-pool clients
default-group-policy vpnweb
tunnel-group vpnweb ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:****[redacted]****
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide