ASA 5510 with 8.2(1) drive mappings work, then fail on LAN connections

Discussion in 'Cisco' started by Infosys2008, Nov 9, 2009.

  1. Infosys2008

    Infosys2008

    Joined:
    Nov 9, 2009
    Messages:
    1
    Never worked with the ASA's, also I just started working here and we only have ACL's..Any help would be appreciated......we are not Nat'ed at this point..Problems are the LAN is being denied...Drive mappings work then fail...Users have to log off then in but keeps failing...What is wrong with my config??? Errors are at bottom...

    ASA Version 8.2(1)
    !
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 164.234.17.49 255.255.255.240
    !
    interface Ethernet0/1
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/2
    nameif inside
    security-level 100
    ip address 12.212.177.62 255.255.255.0
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.100 255.255.255.0
    management-only
    !
    banner motd ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!!
    banner motd This is a privately owned computing system.
    banner motd Access is permitted only by authorized employees or agents of the company.
    banner motd The system may be used only for authorized company business.
    banner motd Company management approval is required for all access privileges.
    banner motd This system is equipped with a security system intended to prevent and
    banner motd record unauthorized access attempts.
    banner motd Unauthorized access or use is a crime under the law.
    boot system disk0:/asa821-k8.bin
    ftp mode passive
    access-list outsideIn extended permit ip 133.185.175.0 255.255.255.0 any
    access-list outsideIn extended deny ip 220.226.218.0 255.255.255.0 any
    access-list outsideIn extended deny ip 110.35.34.0 255.255.255.0 any
    access-list outsideIn extended deny ip 24.76.48.0 255.255.255.0 any
    access-list outsideIn extended permit ip 12.212.179.0 255.255.255.0 any
    access-list outsideIn extended permit tcp any host 12.212.177.72 eq 8009
    access-list outsideIn extended permit tcp any host 12.212.177.40 eq www
    access-list outsideIn extended permit tcp any 12.212.177.0 255.255.255.192 eq smtp
    access-list outsideIn extended permit udp host 133.185.254.252 any
    access-list outsideIn extended permit udp host 205.225.182.1 any
    access-list outsideIn extended permit udp host 205.225.130.209 any
    access-list outsideIn extended permit tcp host 164.234.17.50 host 164.234.17.49 eq telnet
    access-list outsideIn extended permit tcp any host 12.212.177.27 eq smtp
    access-list outsideIn extended permit tcp any host 12.212.177.27 eq 8167
    access-list outsideIn extended permit tcp any host 12.212.177.19 eq 5003
    access-list outsideIn extended permit tcp any host 12.212.177.19 eq 18082
    access-list outsideIn extended permit udp any host 12.212.177.27 eq 8167
    access-list outsideIn extended permit ip 12.212.177.0 255.255.255.0 any
    access-list outsideIn extended permit ip 12.212.179.0 255.255.255.128 any
    access-list outsideIn extended permit tcp any host 12.212.177.19 eq telnet
    access-list outsideIn extended permit tcp any host 12.212.177.16 eq telnet
    access-list outsideIn extended permit tcp any host 12.212.177.40 eq telnet
    access-list outsideIn extended permit tcp any 12.212.177.0 255.255.255.0 gt 1024
    access-list outsideIn extended permit icmp 164.234.17.0 255.255.255.0 any
    access-list outsideIn extended permit icmp 172.16.89.0 255.255.255.0 any
    access-list outsideIn extended permit ip 12.212.177.0 255.255.255.0 164.234.0.0 255.255.0.0
    access-list outsideIn extended deny ip any any log
    access-list InsideOut extended permit icmp any any
    access-list InsideOut extended permit ip 12.212.177.0 255.255.255.0 any
    access-list InsideOut extended permit udp any any
    access-list InsideOut extended permit tcp any any
    access-list InsideOut extended permit ip any any
    pager lines 24
    logging enable
    logging monitor warnings
    logging buffered notifications
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit 133.185.0.0 255.255.0.0 echo-reply outside
    icmp permit 133.185.0.0 255.255.0.0 echo outside
    icmp permit 12.212.177.0 255.255.255.0 echo inside
    icmp permit 133.185.0.0 255.255.0.0 echo-reply inside
    icmp permit 133.185.0.0 255.255.0.0 echo inside
    asdm image disk0:/asdm-508.bin
    no asdm history enable
    arp timeout 14400
    static (outside,inside) 12.212.177.0 255.255.255.0 netmask 255.255.255.0
    access-group outsideIn in interface outside
    access-group InsideOut in interface inside
    route outside 0.0.0.0 0.0.0.0 164.234.17.62 1
    route inside 164.234.42.0 255.255.255.0 12.212.177.63 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication enable console LOCAL
    aaa authentication telnet console LOCAL
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy


    class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect dns preset_dns_map
    inspect http
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    !
    service-policy global_policy global

    *********************** Errors below*********************
    %ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2545 flags RST ACK on interface inside
    %ASA-4-500004: Invalid transport field for protocol=UDP, from 12.212.177.13/4894 to 0.0.0.1/0
    %ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2547 flags RST ACK on interface inside
    %ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2551 flags RST ACK on interface inside
    %ASA-5-304001: 12.212.177.137 Accessed URL 209.80.46.53:/js/counter.js?site=s27Pollster
    %ASA-5-304001: 12.212.177.137 Accessed URL 209.80.46.53:/js/counter.asp?site=s27Pollster
    %ASA-2-106006: Deny inbound UDP from 125.164.129.185/1235 to 12.212.179.161/24495 on interface outside
    %ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2567 flags SYN ACK on interface inside
    %ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2553 flags RST ACK on interface inside
    %ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2569 flags SYN ACK on interface inside
    %ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2555 flags RST ACK on interface inside
    %ASA-4-500004: Invalid transport field for protocol=UDP, from 12.212.177.13/4894 to 0.0.0.2/0
    %ASA-2-106001: Inbound TCP connection denied from 12.212.177.27/8167 to 164.234.42.7/2557 flags RST ACK on interface inside
    Last edited: Nov 9, 2009
    Infosys2008, Nov 9, 2009
    #1
    1. Advertising

  2. Infosys2008

    networkerz

    Joined:
    May 3, 2010
    Messages:
    1

    Hi Infosys2008, I've been searching something related to this error and somehow I found your thread. Let’s investigate this one by one, we’ll start with the error above.

    I’ve checked your ACL, it’s there.

    Line 57: access-list outsideIn extended permit tcp any host 12.212.177.27 eq 8167

    But how come you get that error message?
    Hint: Always look at the error message and try to figure it out.

    In which situation we’ll get TCP flaf RST ACK? One of the situation is where the first SYN packet sent by initiator to the recipient have in respond. In other words, the port 8167 is not even listening on 12.212.177.27 or there might be another network devices that blocked this connection.

    I would suggest you to do packet-tracer to test firewall rules.

    Code:
     
    Packet-tracer input <interface> tcp 164.234.42.7 2545 12.212.177.27 8167 detail
    
    You can also do a packet-capture to see more details on what is actually happen in your network. I guess you’ll see a number of SYN packet sent from 164.234.42.7 to 12.212.177.27 at port 8167, and then 12.212.177.27 will reply with RST ACK instead of SYN ACK packet.

    Hope this will help.
    networkerz, Jul 19, 2011
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    5
    Views:
    2,453
  2. coj0nes

    adding asa 5510 to existing lan

    coj0nes, Jul 15, 2007, in forum: Cisco
    Replies:
    0
    Views:
    494
    coj0nes
    Jul 15, 2007
  3. Tilman Schmidt
    Replies:
    0
    Views:
    3,202
    Tilman Schmidt
    Jan 24, 2008
  4. Tilman Schmidt
    Replies:
    5
    Views:
    18,281
    Lutz Donnerhacke
    Feb 18, 2008
  5. gbottazzi
    Replies:
    0
    Views:
    1,794
    gbottazzi
    Feb 29, 2012
Loading...

Share This Page