Solved

Cisco PIX ASA 5505 - Inbound Traffic not Flowing

Posted on 2008-10-17
5
657 Views
Last Modified: 2012-06-27
I've performed well with Cisco PIX 501, 506, 515's before entirely through command-line.  The ASA is something fairly new and I'm not a fan of the ASDM.  Now that I've tried the ASDM GUI and have dropped to a command-line method -- I believe that I see everything I need to as it relates to inbound traffic.  All I need is RDP and PPTP/GRE to come inbound to the SBS-Server.

In PIX 5xx days, you simply needed a STATIC and an ACCESS-LIST, bound to the outside interface.  Can you review the following configuration and determine if something is missing:


ASA Version 7.2(4)
!
hostname ciscoasa
domain-name removed.local
enable password --removed-- encrypted
passwd --removed-- encrypted
names
name 192.168.1.10 sbsserver description sbsserver
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group pppoe
 ip address pppoe setroute
!
interface Vlan3
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name taskforce.local
access-list outside_access_in remark ptpp inbound
access-list outside_access_in extended permit gre any host sbsserver log disable
access-list outside_access_in extended permit tcp any eq pptp host sbsserver
access-list outside_access_in extended permit tcp any eq 3389 host sbsserver
no pager
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 sbsserver 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp sbsserver pptp netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http --removed-- 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe request dialout pppoe
vpdn group pppoe localname --removed--@static.sbcglobal.net
vpdn group pppoe ppp authentication pap
vpdn username --removed--@static.sbcglobal.net password *********
username airadmin password --removed-- encrypted privilege 15
prompt hostname context
0
Comment
Question by:getair
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 6

Expert Comment

by:clearacid
ID: 22746489
why specify a port number on the static statement?

why not just do:
static (inside,outside) interface sbsserver netmask 255.255.255.255

then let the access list control the inbound connection?
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 22746532
access-list outside_access_in extended permit gre any interface outside log disable
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list outside_access_in extended permit tcp any interface outside eq 3389
no access-list outside_access_in extended permit gre any host sbsserver log disable
no access-list outside_access_in extended permit tcp any eq pptp host sbsserver
no access-list outside_access_in extended permit tcp any eq 3389 host sbsserver
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22746535
btw, you may need a one-to-one static NAT for gre instead PAT
0
 

Author Comment

by:getair
ID: 22746663
Will try these things .. this is how it ended up in using the GUI.
0
 

Author Comment

by:getair
ID: 22747712
By doing:

  access-list outside_access_in extended permit gre any interface outside log disable
  access-list outside_access_in extended permit tcp any interface outside eq pptp
  access-list outside_access_in extended permit tcp any interface outside eq 3389
  no access-list outside_access_in extended permit gre any host sbsserver log disable
  no access-list outside_access_in extended permit tcp any eq pptp host sbsserver
  no access-list outside_access_in extended permit tcp any eq 3389 host sbsserver

I was able to RDP into the system and partially start my PPTP connection.

Upon adding this command, I then completed the PPTP inbound:

  fixup protocol pptp 1723
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cisco asa proxy arp 2 45
ACL not working 11 64
upgrade Cisco Aironet AP 3 42
VHDx Hyper V bad performance different locations 9 53
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question