Hi all,
I'm kind of stuck at trying to troubleshoot a problem I have with a set of Cisco ASA boxes. The box has address 217.x.y.26, and I've configured 2 extra IP addresses: .15 to redirect http to a reverse proxy and .25 to redirect http/https to a server. Furthermore .15 is (ab)used to redirect a few ports to various machines for RDP. The webserver (192.168.1.201) is on the inside interface. The reverseproxy is on an extra interface "hb" with securitylevel 50.
So far so good, and this works almost all of the time.
The weird thing is that a couple of times a day http traffic to .15 ends up at the webserver behind .25 (and the existing RDP sessions die). Didn't find any way to reproduce it. No obvious logic behind when it happens. I've checked various loggings, I've tried capturing traffic. But nothing that would explain such behaviour.
Is this something anyone recognizes (and might trigger a "do this or check that"), or did I do something stupid in configuring the boxes?
I've included a (slightly stripped) configuration which should include the relevant configuration items below.
Thanks for any hints
Mark
==============================
ASA Version 8.2(1) ! names name 192.168.128.3 INT_reverseproxy description reverse proxy internal address name 217.x.y.15 EXT_reverseproxy description reverse proxy external address name 192.168.1.201 INT_webserver description webserver internal address name 217.x.y.25 EXT_webserver description webserver external address name 192.168.1.210 dns1 description dns and ntp name 192.168.1.211 dns2 description dns and ntp name 192.168.128.0 ssncb-network description testnetwork name 192.168.128.101 INT_srv1 name 192.168.128.102 INT_srv2 name 192.168.128.103 INT_srv3 name 192.168.128.104 INT_srv4 name 192.168.128.105 INT_srv5 name 192.168.128.106 INT_srv6
int Ethernet0/0 nameif outside security-level 0 ip address 217.x.y.26 255.255.255.224 standby 217.x.y.16
interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.1.253 255.255.255.0 standby 192.168.1.252
interface Ethernet0/2 description trunk for internal vlans nameif trunk security-level 0 no ip address
interface Ethernet0/2.953 vlan 953 nameif hb security-level 50 ip address 192.168.128.1 255.255.255.0 standby 192.168.128.2
interface Ethernet0/3 description LAN/STATE Failover
interface Management0/0 nameif management security-level 100 ip address 192.168.130.231 255.255.255.0 standby 192.168.130.218 management-only
same-security-traffic permit intra-interface object-group service DM_INLINE_TCP_2 tcp group-object rdp port-object range 3390 3396 object-group service DM_INLINE_TCP_4 tcp port-object eq ftp port-object eq www port-object eq https object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https port-object eq ssh object-group service rdp tcp description Remote Desktop / Terminal services port-object eq 3389 object-group service DM_INLINE_TCP_2 tcp group-object rdp port-object range 3390 3396 object-group service DM_INLINE_TCP_3 tcp port-object eq www port-object eq ssh port-object eq 81 object-group network DM_INLINE_NETWORK_4 network-object host dns1 network-object host dns2 object-group service DM_INLINE_SERVICE_1 service-object icmp service-object udp eq domain service-object tcp eq smtp service-object udp eq ntp object-group protocol TCPUDP protocol-object udp protocol-object tcp
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 ssncb-network 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 network192168 255.255.0.0
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log disable access-list outside_access_in remark allow service delivery for webserver access-list outside_access_in extended permit tcp any host EXT_webserver object-group DM_INLINE_TCP_1 log disable access-list outside_access_in remark access to reverseproxy access-list outside_access_in extended permit tcp any host EXT_reverseproxy object-group DM_INLINE_TCP_2 log disable access-list outside_access_in extended permit tcp any host EXT_reverseproxy object-group DM_INLINE_TCP_3 log disable access-list outside_access_in remark block but don't log access-list outside_access_in extended deny tcp any any eq 445 log disable
access-list inside_access_in remark allow traffic from services boxes to hb network access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_4 ssncb-network 255.255.255.0 log disable access-list inside_access_in remark default policy: no traffic to hb vlan access-list inside_access_in extended deny ip any ssncb-network 255.255.255.0 log disable access-list inside_access_in remark outside is allowed access-list inside_access_in extended permit ip any any log disable
access-list hb_access_in remark Allow some services to inside access-list hb_access_in extended permit object-group DM_INLINE_SERVICE_1 any
192.168.1.0 255.255.255.0 log disable access-list hb_access_in remark block but don't log traffic on port 137 (windows services) access-list hb_access_in extended deny object-group TCPUDP any 192.168.1.0 255.255.255.0 eq 137 log disable access-list hb_access_in remark No traffic between the networks unless specified access-list hb_access_in extended deny ip any 192.168.1.0 255.255.255.0 access-list hb_access_in remark Outside traffic is OK access-list hb_access_in extended permit ip any any log disableaccess-list hb_nat0_outbound remark no nat for traffic from sslvpn access-list hb_nat0_outbound extended permit ip ssncb-network 255.255.255.0
192.168.253.0 255.255.255.0failover failover lan unit secondary failover lan interface failover Ethernet0/3 failover key ***** failover link failover Ethernet0/3 failover interface ip failover 192.168.67.1 255.255.255.0 standby 192.168.67.2
icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any inside
global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (hb) 0 access-list hb_nat0_outbound nat (hb) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp EXT_webserver www INT_webserver 8000 netmask
255.255.255.255 static (inside,outside) tcp EXT_webserver https INT_webserver 8001 netmask 255.255.255.255 static (inside,outside) tcp EXT_webserver ssh INT_webserver ssh netmask 255.255.255.255 static (inside,outside) tcp EXT_webserver 30000 INT_webserver 30000 netmask 255.255.255.255 static (healthbook,outside) tcp EXT_reverseproxy www INT_reverseproxy www netmask 255.255.255.255 static (healthbook,outside) tcp EXT_reverseproxy 3389 INT_srv1 3389 netmask 255.255.255.255 static (healthbook,outside) tcp EXT_reverseproxy 3390 INT_srv2 3389 netmask 255.255.255.255 static (healthbook,outside) tcp EXT_reverseproxy 3391 INT_srv3 3389 netmask 255.255.255.255 static (healthbook,outside) tcp EXT_reverseproxy 3392 INT_srv4 3389 netmask 255.255.255.255 static (healthbook,outside) tcp EXT_reverseproxy 3394 INT_srv5 3389 netmask 255.255.255.255 static (healthbook,outside) tcp EXT_reverseproxy 3395 INT_srv6 3389 netmask 255.255.255.255access-group outside_access_in in interface outside access-group inside_access_in in interface inside access-group hb_access_in in interface hb
timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00
policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy description netflow for m2m class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp
service-policy global_policy global