Solved

Cisco ASA: Services terminating at interface are disabled.

Posted on 2009-05-11
8
1,327 Views
Last Modified: 2012-05-06
When I tried to enter the following Static command onto my Cisco ASA 5510 firewall, I get the following messages:
static (inside,outside) interface 192.168.18.18 netmask 255.255.255.255 0 0

WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

I could perform the static command with my PIX515E firewall without any warnings, and the static translation worked ok.  But with ASA, the translation would not work.  Is this because by default, the translation to interface is disabled in ASA?  Please help.  Thank you.
0
Comment
Question by:hoggiee
  • 4
  • 3
8 Comments
 
LVL 1

Expert Comment

by:ski3987
Comment Utility
please let us see your full config
0
 

Author Comment

by:hoggiee
Comment Utility
My fw config is very very long and due to security reason, I can't post it here.  I just want to find out if services terminating at an interface have been disabled on ASA, and if there is anyway to enable it.  Thanks.
0
 
LVL 7

Assisted Solution

by:egyptco
egyptco earned 500 total points
Comment Utility
well if you'd like to perform static translation, which redirects all inbound traffic to your server on inside 192.168.18.18, besides the static rule you need to allow traffic on the outside interface. e.g. you want only ssh

access-list acl-outside permit tcp any interface outside eq 22
access-group acl-outside in int outside

the warning message is pritty normal and what it says is that you redirecting all inbound traffic to single host 192.168.18.18 so in our example with ssh you wan't be able to terminate ssh to the firewall (no access with ssh to outside interface) or any other traffic (e.g. vpn), since all traffic is redirected to inside host. there must be other reason for your redirection not to work but from fragment information you provided it is hard to say. the warning message is not one of them.

just to add that using static like you did is not one of the best practices. instead of interface keyword better use one of external addresses from the range given you from your provider, which should represent your inside server into outside. if you have only single address assigned from ISP you still can do PAT static translation. back to our example:

static (inside,outside) tcp interface 22 192.168.18.18 22
0
 

Author Comment

by:hoggiee
Comment Utility
I am only given 1 single fixed public IP by my ISP.  I actually tried the PAT static translation as what you told but I still cannot cannot to my internal server from outside.  I attach here my fw config.  This is the config of a PIX firewall, instead of ASA.  Since my initial attempts failed with ASA, I am trying my luck with my PIX firewall now.  Please help.  Thanks.
fwconf.txt
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 7

Expert Comment

by:egyptco
Comment Utility
pretty much if it works with your pix i don't see any reason not to work with the asa. so your problem was you can't access (rdp) an internal server 192.168.18.18 from outside. i noticed from your configuration that 192.168.18.18 is actually  the inside ip address from the pix and the windows server was 192.168.218.222. so i suppose you changed the addressing and now your server have 192.168.18.18. than you need on the asa only these commands:

access-list outside permit tcp any interface outside eq 3389
access-group outside in int outside
static (inside,outside) tcp interface 3389 192.168.18.18 3389 netmask 255.255.255.255

actually on second read i can't find route to your 192.168.218.0 network. it wasn't  directly connected to your firewall, was it. you should have had route to this network on your pix to make it reachable.



0
 

Author Comment

by:hoggiee
Comment Utility
egyptco:

Thanks for helping.  The IP for the internal server is actually 192.168.18.19 (i forgot to update it).  I have exactly the commands as told by on pix/asa, but still i cannot RDP to the internal server.  I tried other port e.g. www and FTP, all failed.  Any ideas?
0
 
LVL 7

Assisted Solution

by:egyptco
egyptco earned 500 total points
Comment Utility
dunno it should work. make sure rdp is correctly configured on your server. you can try also one test. it is basically your old config redirect all traffic to your inside server.

access-list outside permit ip any interface outside
access-group outside in int outside
static (inside,outside) interface 192.168.18.19 netmask 255.255.255.255

and now from otside host ping the outside interface 60.x.y.16. and vice versa from the server try to ping something on internet.
check if you can ping inside interface 192.168.18.18 of the pix/asa from your server
check if you can ping your service provider router 60.x.y.15 from your pix/asa

somewhere you are losing readability because your configuration is correct.
0
 

Accepted Solution

by:
hoggiee earned 0 total points
Comment Utility
Found out that it's indeed a configuration mistake in the broadband router provided by ISP.  On the router, I configured a static NAT (DMZ option) on the IP of the router to the outside interface of my firewall.  Then on my firewall, another static translation from the interface to internal server as per you comment.  Everything works as I wish.  Thanks for your help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now