Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 667
  • Last Modified:

Cisco PIX ASA 5505 - Inbound Traffic not Flowing

I've performed well with Cisco PIX 501, 506, 515's before entirely through command-line.  The ASA is something fairly new and I'm not a fan of the ASDM.  Now that I've tried the ASDM GUI and have dropped to a command-line method -- I believe that I see everything I need to as it relates to inbound traffic.  All I need is RDP and PPTP/GRE to come inbound to the SBS-Server.

In PIX 5xx days, you simply needed a STATIC and an ACCESS-LIST, bound to the outside interface.  Can you review the following configuration and determine if something is missing:


ASA Version 7.2(4)
!
hostname ciscoasa
domain-name removed.local
enable password --removed-- encrypted
passwd --removed-- encrypted
names
name 192.168.1.10 sbsserver description sbsserver
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group pppoe
 ip address pppoe setroute
!
interface Vlan3
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name taskforce.local
access-list outside_access_in remark ptpp inbound
access-list outside_access_in extended permit gre any host sbsserver log disable
access-list outside_access_in extended permit tcp any eq pptp host sbsserver
access-list outside_access_in extended permit tcp any eq 3389 host sbsserver
no pager
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 sbsserver 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp sbsserver pptp netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http --removed-- 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe request dialout pppoe
vpdn group pppoe localname --removed--@static.sbcglobal.net
vpdn group pppoe ppp authentication pap
vpdn username --removed--@static.sbcglobal.net password *********
username airadmin password --removed-- encrypted privilege 15
prompt hostname context
0
getair
Asked:
getair
  • 2
  • 2
1 Solution
 
clearacidCommented:
why specify a port number on the static statement?

why not just do:
static (inside,outside) interface sbsserver netmask 255.255.255.255

then let the access list control the inbound connection?
0
 
Alan Huseyin KayahanCommented:
access-list outside_access_in extended permit gre any interface outside log disable
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list outside_access_in extended permit tcp any interface outside eq 3389
no access-list outside_access_in extended permit gre any host sbsserver log disable
no access-list outside_access_in extended permit tcp any eq pptp host sbsserver
no access-list outside_access_in extended permit tcp any eq 3389 host sbsserver
0
 
Alan Huseyin KayahanCommented:
btw, you may need a one-to-one static NAT for gre instead PAT
0
 
getairAuthor Commented:
Will try these things .. this is how it ended up in using the GUI.
0
 
getairAuthor Commented:
By doing:

  access-list outside_access_in extended permit gre any interface outside log disable
  access-list outside_access_in extended permit tcp any interface outside eq pptp
  access-list outside_access_in extended permit tcp any interface outside eq 3389
  no access-list outside_access_in extended permit gre any host sbsserver log disable
  no access-list outside_access_in extended permit tcp any eq pptp host sbsserver
  no access-list outside_access_in extended permit tcp any eq 3389 host sbsserver

I was able to RDP into the system and partially start my PPTP connection.

Upon adding this command, I then completed the PPTP inbound:

  fixup protocol pptp 1723
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now