Solved

Cisco PIX ASA 5505 - Inbound Traffic not Flowing

Posted on 2008-10-17
5
658 Views
Last Modified: 2012-06-27
I've performed well with Cisco PIX 501, 506, 515's before entirely through command-line.  The ASA is something fairly new and I'm not a fan of the ASDM.  Now that I've tried the ASDM GUI and have dropped to a command-line method -- I believe that I see everything I need to as it relates to inbound traffic.  All I need is RDP and PPTP/GRE to come inbound to the SBS-Server.

In PIX 5xx days, you simply needed a STATIC and an ACCESS-LIST, bound to the outside interface.  Can you review the following configuration and determine if something is missing:


ASA Version 7.2(4)
!
hostname ciscoasa
domain-name removed.local
enable password --removed-- encrypted
passwd --removed-- encrypted
names
name 192.168.1.10 sbsserver description sbsserver
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group pppoe
 ip address pppoe setroute
!
interface Vlan3
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name taskforce.local
access-list outside_access_in remark ptpp inbound
access-list outside_access_in extended permit gre any host sbsserver log disable
access-list outside_access_in extended permit tcp any eq pptp host sbsserver
access-list outside_access_in extended permit tcp any eq 3389 host sbsserver
no pager
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 sbsserver 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp sbsserver pptp netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http --removed-- 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe request dialout pppoe
vpdn group pppoe localname --removed--@static.sbcglobal.net
vpdn group pppoe ppp authentication pap
vpdn username --removed--@static.sbcglobal.net password *********
username airadmin password --removed-- encrypted privilege 15
prompt hostname context
0
Comment
Question by:getair
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 6

Expert Comment

by:clearacid
ID: 22746489
why specify a port number on the static statement?

why not just do:
static (inside,outside) interface sbsserver netmask 255.255.255.255

then let the access list control the inbound connection?
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 22746532
access-list outside_access_in extended permit gre any interface outside log disable
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list outside_access_in extended permit tcp any interface outside eq 3389
no access-list outside_access_in extended permit gre any host sbsserver log disable
no access-list outside_access_in extended permit tcp any eq pptp host sbsserver
no access-list outside_access_in extended permit tcp any eq 3389 host sbsserver
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22746535
btw, you may need a one-to-one static NAT for gre instead PAT
0
 

Author Comment

by:getair
ID: 22746663
Will try these things .. this is how it ended up in using the GUI.
0
 

Author Comment

by:getair
ID: 22747712
By doing:

  access-list outside_access_in extended permit gre any interface outside log disable
  access-list outside_access_in extended permit tcp any interface outside eq pptp
  access-list outside_access_in extended permit tcp any interface outside eq 3389
  no access-list outside_access_in extended permit gre any host sbsserver log disable
  no access-list outside_access_in extended permit tcp any eq pptp host sbsserver
  no access-list outside_access_in extended permit tcp any eq 3389 host sbsserver

I was able to RDP into the system and partially start my PPTP connection.

Upon adding this command, I then completed the PPTP inbound:

  fixup protocol pptp 1723
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question