Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


ASA 5505 Access Rules / NAT not allowing inbound traffic

Posted on 2008-06-25
Medium Priority
Last Modified: 2012-05-05
I have a new ASA 5505 10 User appliance connecting a 20Mbps Cable Internet connection to the Internal network.  I have configured Access rules and NAT, but obviously do not have something right as the ASA is not passing http, https or smtp traffic to the internal server.  In a possibly related condition, I am able to authenticate the Client-Access VPN connection through the ASA, but cannot talk to anything inside over the connection.  Any feedback would be appreciated as this Windows/Mainframe guy is stumped....   config is below.

X.X.X.A is the outside interface IP of the ASA  (Static IP)
X.X.X.B is another public IP address in our external range not directly assigned to an interface. (Static)

Presently, all services (http, https, smtp) are serviced by a single server at
Remote users will connect using Cisco VPN Client 5.x through Server 2008 NPS (RADIUS)

: Saved
ASA Version 8.0(3) 
hostname ASGASA
enable password ************ encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address X.X.X.A 
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd ********* encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
same-security-traffic permit intra-interface
access-list ASG_VPN_splitTunnelAcl extended permit ip any 
access-list inside_outbound_nat0_acl extended permit ip 
access-list inside_outbound_nat0_acl extended permit ip any 
access-list outside_cryptomap_dyn_20 extended permit ip any 
access-list Outside_access_in extended permit tcp any host X.X.X.B eq smtp 
access-list Outside_access_in extended permit tcp any host X.X.X.B eq https 
access-list Outside_access_in extended permit tcp any host X.X.X.B eq www 
access-list Outside_access_in extended permit icmp any any echo-reply 
access-list ASG_VPN_splitTunnelAcl_1 standard permit any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool IP_Pool
ip verify reverse-path interface outside
ip audit attack action alarm drop
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1
static (inside,outside) X.X.X.B netmask 
access-group Outside_access_in in interface outside
route outside <GATEWAY IP> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
 accounting-mode simultaneous
aaa-server RADIUS host
 key ***********
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
 enable outside
 svc image disk0:/anyconnect-win-2.2.0128-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
 dns-server value
 vpn-tunnel-protocol svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ASG_VPN_splitTunnelAcl
 default-domain value
 address-pools value IP_Pool
  svc keep-installer installed
  svc keepalive 60
  svc dpd-interval client 30
  svc dpd-interval gateway 30
group-policy ASG_VPN internal
group-policy ASG_VPN attributes
 dns-server value
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ASG_VPN_splitTunnelAcl_1
group-policy WebVPN internal
group-policy WebVPN attributes
 vpn-tunnel-protocol webvpn
username ASGAdmin password ************ encrypted privilege 15
 vpn-group-policy ASG_VPN
tunnel-group ASG_VPN type remote-access
tunnel-group ASG_VPN general-attributes
 address-pool IP_Pool
 default-group-policy ASG_VPN
tunnel-group ASG_VPN ipsec-attributes
 pre-shared-key ******
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
 address-pool IP_Pool
 authentication-server-group RADIUS LOCAL
 default-group-policy SSLVPN
tunnel-group SSLVPN webvpn-attributes
 group-alias SSLVPN enable
tunnel-group WebVPN type remote-access
tunnel-group WebVPN general-attributes
 address-pool IP_Pool
 authentication-server-group RADIUS LOCAL
 default-group-policy WebVPN
tunnel-group WebVPN webvpn-attributes
 group-alias WebVPN enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 1028
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
  inspect icmp error 
service-policy global_policy global
prompt hostname context 
: end
asdm image disk0:/asdm-603.bin
asdm location inside
asdm location inside
no asdm history enable

Open in new window

Question by:ASGWichita
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 29

Expert Comment

by:Jan Springer
ID: 21870103
Have you checked with your provider that it allows client servers?  I'm not seeing anything on initial review regarding http/https/smtp access.

And, do the firewall logs give any indication of the failure if the traffic is making it to the unit?

Author Comment

ID: 21871160
I am on a business connection known to support the services.  The PIX that this ASA is replacing was performing all of these services,  at least until the APC failed and a surge nailed it.  I can also plug-up a cheap-o Netgear router and everything works fine, so I have narrowed it down to the ASA config itself.

All I am seeing in the logs is that the session has been:

6      Jun 25 2008      20:24:47      302013      <REMOTEIP>       Built inbound TCP connection 166 for outside:<REMOTEIP>/2102 (<REMOTE IP>/2102) to inside: (X.X.X.A/443)

6      Jun 25 2008      20:25:17      302014      <REMOTEIP>       Teardown TCP connection 166 for outside:<REMOTEIP>/2102 to inside: duration 0:00:30 bytes 0 SYN Timeout

The Packet Tracer is showing the packet passes successfully to the endpoint both inside and outside.   It's weird,  so I am sure I am missing something simple.
LVL 29

Expert Comment

by:Jan Springer
ID: 21874851
inspect http
inspect https
inspect smtp
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?


Author Comment

ID: 21876026
I'm sorry,  You lost me.  Those are not valid commands,  what are you recommending?

Thanks for your help

Author Comment

ID: 21876127
I have added the inspect http, but cannot find anything for https or smtp.  Do those inspection maps need to be created somehow?  
LVL 29

Expert Comment

by:Jan Springer
ID: 21876167
config t

policy-map global_policy
 class inspection_default
 inspect http
 inspect https
 inspect smtp


I'm wondering if the CBAC engine requires inspection of these packets.

Author Comment

ID: 21876528
Errors received below...    I am not seeing smtp or https as options in the ASDM GUI either.  Do they need to be added somewhere?

Result of the command: "config t"

The command has been sent to the device

Result of the command: "policy-map global_policy"

The command has been sent to the device

Result of the command: "class inspection_default"

The command has been sent to the device

Result of the command: "inspect http"

The command has been sent to the device

Result of the command: "inspect https"

inspect https
ERROR: % Invalid input detected at '^' marker.

Result of the command: "inspect smtp"

inspect smtp
ERROR: % Invalid input detected at '^' marker.

Result of the command: "end"

Command failed

Accepted Solution

ASGWichita earned 0 total points
ID: 21902783
No answer identified,  called in consultant to review and correct.

Expert Comment

ID: 24441306
I am having the same problem as above. What was done to resolve this issue? Thanks.

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question