I. Overview:
Today QQ received a friend's help, the following environment, looked at the ASA configuration, the strategy is full pass, incredibly unable to access, but also puzzled.
If the use of GNS3 to build environmental testing, on both sides of the firewall grab packet, found that TCP three times handshake normal, but located inside the firewall issued by the HTTP GET packet is the firewall discarded, with Google input keyword: ASA TCP 2000 Search to the following links:
http://blog.csdn.net/yangcage/article/details/1787558
Http://www.petenetlive.com/KB/Article/0000027.htm
Finally understand: is because ASA to access the external HTTP TCP 2000 port traffic as the skinny protocol traffic, but the actual HTTP traffic, because the data structure of the two protocol traffic is certainly different, all when the TCP three handshake completes, after the HTTP application of the packet is discarded. For further testing, the test is divided into three different situations:
The first is that the ports of the external Web application are not listed by default, such as TCP 8080;
The second is the port of the external Web application is under review, but the actual application does not have such traffic, such as TCP 2000;
The third is the port of the external Web application is reviewed, and the default review protocol needs to be opened.
Two. Test topology: