Solved

Cisco ASA: Services terminating at interface are disabled.

Posted on 2009-05-11
8
1,336 Views
Last Modified: 2012-05-06
When I tried to enter the following Static command onto my Cisco ASA 5510 firewall, I get the following messages:
static (inside,outside) interface 192.168.18.18 netmask 255.255.255.255 0 0

WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

I could perform the static command with my PIX515E firewall without any warnings, and the static translation worked ok.  But with ASA, the translation would not work.  Is this because by default, the translation to interface is disabled in ASA?  Please help.  Thank you.
0
Comment
Question by:hoggiee
  • 4
  • 3
8 Comments
 
LVL 1

Expert Comment

by:ski3987
ID: 24361338
please let us see your full config
0
 

Author Comment

by:hoggiee
ID: 24361588
My fw config is very very long and due to security reason, I can't post it here.  I just want to find out if services terminating at an interface have been disabled on ASA, and if there is anyway to enable it.  Thanks.
0
 
LVL 7

Assisted Solution

by:egyptco
egyptco earned 500 total points
ID: 24362582
well if you'd like to perform static translation, which redirects all inbound traffic to your server on inside 192.168.18.18, besides the static rule you need to allow traffic on the outside interface. e.g. you want only ssh

access-list acl-outside permit tcp any interface outside eq 22
access-group acl-outside in int outside

the warning message is pritty normal and what it says is that you redirecting all inbound traffic to single host 192.168.18.18 so in our example with ssh you wan't be able to terminate ssh to the firewall (no access with ssh to outside interface) or any other traffic (e.g. vpn), since all traffic is redirected to inside host. there must be other reason for your redirection not to work but from fragment information you provided it is hard to say. the warning message is not one of them.

just to add that using static like you did is not one of the best practices. instead of interface keyword better use one of external addresses from the range given you from your provider, which should represent your inside server into outside. if you have only single address assigned from ISP you still can do PAT static translation. back to our example:

static (inside,outside) tcp interface 22 192.168.18.18 22
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:hoggiee
ID: 24372309
I am only given 1 single fixed public IP by my ISP.  I actually tried the PAT static translation as what you told but I still cannot cannot to my internal server from outside.  I attach here my fw config.  This is the config of a PIX firewall, instead of ASA.  Since my initial attempts failed with ASA, I am trying my luck with my PIX firewall now.  Please help.  Thanks.
fwconf.txt
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24372624
pretty much if it works with your pix i don't see any reason not to work with the asa. so your problem was you can't access (rdp) an internal server 192.168.18.18 from outside. i noticed from your configuration that 192.168.18.18 is actually  the inside ip address from the pix and the windows server was 192.168.218.222. so i suppose you changed the addressing and now your server have 192.168.18.18. than you need on the asa only these commands:

access-list outside permit tcp any interface outside eq 3389
access-group outside in int outside
static (inside,outside) tcp interface 3389 192.168.18.18 3389 netmask 255.255.255.255

actually on second read i can't find route to your 192.168.218.0 network. it wasn't  directly connected to your firewall, was it. you should have had route to this network on your pix to make it reachable.



0
 

Author Comment

by:hoggiee
ID: 24372688
egyptco:

Thanks for helping.  The IP for the internal server is actually 192.168.18.19 (i forgot to update it).  I have exactly the commands as told by on pix/asa, but still i cannot RDP to the internal server.  I tried other port e.g. www and FTP, all failed.  Any ideas?
0
 
LVL 7

Assisted Solution

by:egyptco
egyptco earned 500 total points
ID: 24372862
dunno it should work. make sure rdp is correctly configured on your server. you can try also one test. it is basically your old config redirect all traffic to your inside server.

access-list outside permit ip any interface outside
access-group outside in int outside
static (inside,outside) interface 192.168.18.19 netmask 255.255.255.255

and now from otside host ping the outside interface 60.x.y.16. and vice versa from the server try to ping something on internet.
check if you can ping inside interface 192.168.18.18 of the pix/asa from your server
check if you can ping your service provider router 60.x.y.15 from your pix/asa

somewhere you are losing readability because your configuration is correct.
0
 

Accepted Solution

by:
hoggiee earned 0 total points
ID: 24404761
Found out that it's indeed a configuration mistake in the broadband router provided by ISP.  On the router, I configured a static NAT (DMZ option) on the IP of the router to the outside interface of my firewall.  Then on my firewall, another static translation from the interface to internal server as per you comment.  Everything works as I wish.  Thanks for your help.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
using BGP Attributes 2 83
Cisco 3560 switches not seeing VTP V3 12 48
Cisco RTMT extremely tiny using Microsoft Surface 4 16
Switch ports not working 8 32
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question