Cisco Guru's, it's been a LONG day

[McDeth]

Cisco Gurus, halp!

While attempting a rollout today of our ASA5505 we ran into an issue where web pages on NATd public ip addresses aren't viewable!

We have configured around 10 servers that need to be accessed via their public ip over ports 21, 80 and 443. During our testing phase we made sure that we could access a few test servers running a default install of Apache from a public ip address and this worked fine. During our rollout we discovered that about 1/3 of the web servers were accessable from the internet, while 2/3 where not accessible and returned an error when you attempted to connect to them with a web browser.

The error that was being returned was:

HTTP Error 400
Bad Request

Your browser sent a request that this server could not understand.
Request header field is missing ':' separator.


Viewing the logs on the web servers does indeed show a malformed http header in the GET request.

The strange thing about this is that people connected over the the Remote Access VPN can see the (internal ip address) sites just fine, but as soon as they try to browse to the same servers public ip address that the browser shows the error page. We have disabled the default http inspection and IPS inspection to see if that would fix the problem, but it still occurs. I'm completely lost as to what would cause this issue on our ASA.

We had to call off our rollout because of the problem and are investigating as to what may have caused it. It's been a long day, night, and it's going to be a longer day

 

[k1pp3r]

Are you using the "Public Servers" in ASDM, or doing this in CMD line.

What asa version are you on

 

[McDeth]

Yes I did set about 5 up under Public Servers in ASDM, but have also set up NAT rules using CMD for others (separate IP's obviously)

ASA version is 8.2(2)

 

[k1pp3r]

If you set the public server policy group, you don't need to nat via cmd line. Rip it all our then just use public servers

 

[Vito_Corleone]

Post the config

 

[Valnar]

remove "inspect http" under the global_policy during your troubleshooting.

 

[xphil3]

remove "inspect http" under the global_policy during your troubleshooting.

He said he already did this.

McDeth,
Like Vito said, you need to post your config.. but I can give you some recommendations and facts.

The ASA by default doesn't not to deep inspection(application or payload level), so disabling the http inspection would disable it at layer 4 and not layer 7 which is what many people assume.

I dont think that disabling http inspection will gain you anything, or for that matter cause you to see malformed http headers due to the fact that you would be utilizing different inspection engines if you did application level inspection. If you were doing application level inspection then possibly.

Im assuming that you're doing 1:1 static NAT translations? Have you tried to reassign IP's from servers that work to non servers? Blow away the NAT config and just configure one translation on a server thats NOT working?

I know this might be a stupid question, but you do have an enterprise bundle w/ more than 10 users correct? 10 users simply means 10 concurrent unique(from an IP address standpoint) NAT connections.

 

[k1pp3r]

I know this might be a stupid question, but you do have an enterprise bundle w/ more than 10 users correct? 10 users simply means 10 concurrent unique(from an IP address standpoint) NAT connections.

The 10 user bundle will only allow 10 devices to pass through the firewall at any time. So if you have 12 servers and a 10 user bundle. 2 of your servers will not be able to get out

 

[xphil3]

The 10 user bundle will only allow 10 devices to pass through the firewall at any time. So if you have 12 servers and a 10 user bundle. 2 of your servers will not be able to get out

If you read what you quoted you would see that I was trying to verify that he had a license with more than 10 users to ensure that he was not hitting that NAT limitation, that is how its regulated, by the translation table.