Solved

Cisco PIX ASA 5505 - Inbound Traffic not Flowing

Posted on 2008-10-17
5
646 Views
Last Modified: 2012-06-27
I've performed well with Cisco PIX 501, 506, 515's before entirely through command-line.  The ASA is something fairly new and I'm not a fan of the ASDM.  Now that I've tried the ASDM GUI and have dropped to a command-line method -- I believe that I see everything I need to as it relates to inbound traffic.  All I need is RDP and PPTP/GRE to come inbound to the SBS-Server.

In PIX 5xx days, you simply needed a STATIC and an ACCESS-LIST, bound to the outside interface.  Can you review the following configuration and determine if something is missing:


ASA Version 7.2(4)
!
hostname ciscoasa
domain-name removed.local
enable password --removed-- encrypted
passwd --removed-- encrypted
names
name 192.168.1.10 sbsserver description sbsserver
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group pppoe
 ip address pppoe setroute
!
interface Vlan3
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name taskforce.local
access-list outside_access_in remark ptpp inbound
access-list outside_access_in extended permit gre any host sbsserver log disable
access-list outside_access_in extended permit tcp any eq pptp host sbsserver
access-list outside_access_in extended permit tcp any eq 3389 host sbsserver
no pager
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 sbsserver 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp sbsserver pptp netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http --removed-- 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe request dialout pppoe
vpdn group pppoe localname --removed--@static.sbcglobal.net
vpdn group pppoe ppp authentication pap
vpdn username --removed--@static.sbcglobal.net password *********
username airadmin password --removed-- encrypted privilege 15
prompt hostname context
0
Comment
Question by:getair
  • 2
  • 2
5 Comments
 
LVL 6

Expert Comment

by:clearacid
ID: 22746489
why specify a port number on the static statement?

why not just do:
static (inside,outside) interface sbsserver netmask 255.255.255.255

then let the access list control the inbound connection?
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 22746532
access-list outside_access_in extended permit gre any interface outside log disable
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list outside_access_in extended permit tcp any interface outside eq 3389
no access-list outside_access_in extended permit gre any host sbsserver log disable
no access-list outside_access_in extended permit tcp any eq pptp host sbsserver
no access-list outside_access_in extended permit tcp any eq 3389 host sbsserver
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22746535
btw, you may need a one-to-one static NAT for gre instead PAT
0
 

Author Comment

by:getair
ID: 22746663
Will try these things .. this is how it ended up in using the GUI.
0
 

Author Comment

by:getair
ID: 22747712
By doing:

  access-list outside_access_in extended permit gre any interface outside log disable
  access-list outside_access_in extended permit tcp any interface outside eq pptp
  access-list outside_access_in extended permit tcp any interface outside eq 3389
  no access-list outside_access_in extended permit gre any host sbsserver log disable
  no access-list outside_access_in extended permit tcp any eq pptp host sbsserver
  no access-list outside_access_in extended permit tcp any eq 3389 host sbsserver

I was able to RDP into the system and partially start my PPTP connection.

Upon adding this command, I then completed the PPTP inbound:

  fixup protocol pptp 1723
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 1830 AP behaving wierdly 7 64
Cisco VPN Client and Windows 10 9 86
Cisco / asa /Nagios 3 15
ASA - RV130 VPN tunnel, cannot pass traffic 8 52
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now