[c-nsp] ASA bug?

David White, Jr. (dwhitejr) dwhitejr at cisco.com
Tue Jan 25 14:03:01 EST 2011 

<snip>
> from an internet host I attempt a connection to port 80:
>
>
> ggw at 76.65.229.23:~$  telnet x.x.x.x 80
>
>
> I see the packets egress the newdmz interface:
>
>    1: 15:55:11.839525 802.1Q vlan#560 P0 x.x.x.x.2716 > 192.168.53.19.1433: . 3365025458:3365025459(1) ack 2402449091 win 64453
>    2: 15:55:11.840303 802.1Q vlan#560 P0 192.168.53.19.1433 > x.x.x.x.2716: . ack 3365025459 win 64374
>    3: 15:55:12.070079 802.1Q vlan#560 P0 192.168.53.19.1433 > x.x.x.x.2716: . 2402449090:2402449091(1) ack 3365025459 win 64374
>    4: 15:55:12.070202 802.1Q vlan#560 P0 x.x.x.x.2716 > 192.168.53.19.1433: . ack 2402449091 win 64453
>    5: 15:55:21.180608 76.65.229.23.61388 > x.x.x.x.443: S 2533989180:2533989180(0) win 65535 <mss 1260,nop,nop,sackOK>
>    6: 15:55:24.070659 76.65.229.23.61388 > x.x.x.x.443: S 2533989180:2533989180(0) win 65535 <mss 1260,nop,nop,sackOK>
>    7: 15:55:30.085978 76.65.229.23.61388 > x.x.x.x.443: S 2533989180:2533989180(0) win 65535 <mss 1260,nop,nop,sackOK>
>
>
> I see packets egressing the dmz interface into the dmz zone…    In my mind this is not a firewall issue as the packets are being forwarded into the zone,  as expected.
>   
But the traffic you captured is NOT the telnet to port 80 session. Are
you translating the port somewhere upstream before it reaches the ASA?
Or are you translating on the ASA?

> the reality is there was a "deny ip any any into newzone" applied to the outside interface.   
If the 'deny' statement was applied inbound on the outside interface,
and this was also where the connection was initiating from, then yes -
traffic would have been denied. Note that if the telnet was initiated
from the dmz interface, then the ACL would not have blocked it.

Sincerely,

David.
> I should not of seen these packets when running a capture on the dmz interface, correct?  this caused me to spin my wheels on this for 1/2 a day till I noticed the acl in the outside_in section…
>
> soon as I removed the acl element from the outside_in,  things worked..
>
>
> am I not understanding something here or does this look wrong?
>
> thanks for your time,
> greg
>
>
> --
>
> This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list