Cisco ASA: Services terminating at interface are disabled.

When I tried to enter the following Static command onto my Cisco ASA 5510 firewall, I get the following messages:
static (inside,outside) interface 192.168.18.18 netmask 255.255.255.255 0 0

WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

I could perform the static command with my PIX515E firewall without any warnings, and the static translation worked ok.  But with ASA, the translation would not work.  Is this because by default, the translation to interface is disabled in ASA?  Please help.  Thank you.
hoggieeAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
hoggieeConnect With a Mentor Author Commented:
Found out that it's indeed a configuration mistake in the broadband router provided by ISP.  On the router, I configured a static NAT (DMZ option) on the IP of the router to the outside interface of my firewall.  Then on my firewall, another static translation from the interface to internal server as per you comment.  Everything works as I wish.  Thanks for your help.
0
 
ski3987Commented:
please let us see your full config
0
 
hoggieeAuthor Commented:
My fw config is very very long and due to security reason, I can't post it here.  I just want to find out if services terminating at an interface have been disabled on ASA, and if there is anyway to enable it.  Thanks.
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
egyptcoConnect With a Mentor Commented:
well if you'd like to perform static translation, which redirects all inbound traffic to your server on inside 192.168.18.18, besides the static rule you need to allow traffic on the outside interface. e.g. you want only ssh

access-list acl-outside permit tcp any interface outside eq 22
access-group acl-outside in int outside

the warning message is pritty normal and what it says is that you redirecting all inbound traffic to single host 192.168.18.18 so in our example with ssh you wan't be able to terminate ssh to the firewall (no access with ssh to outside interface) or any other traffic (e.g. vpn), since all traffic is redirected to inside host. there must be other reason for your redirection not to work but from fragment information you provided it is hard to say. the warning message is not one of them.

just to add that using static like you did is not one of the best practices. instead of interface keyword better use one of external addresses from the range given you from your provider, which should represent your inside server into outside. if you have only single address assigned from ISP you still can do PAT static translation. back to our example:

static (inside,outside) tcp interface 22 192.168.18.18 22
0
 
hoggieeAuthor Commented:
I am only given 1 single fixed public IP by my ISP.  I actually tried the PAT static translation as what you told but I still cannot cannot to my internal server from outside.  I attach here my fw config.  This is the config of a PIX firewall, instead of ASA.  Since my initial attempts failed with ASA, I am trying my luck with my PIX firewall now.  Please help.  Thanks.
fwconf.txt
0
 
egyptcoCommented:
pretty much if it works with your pix i don't see any reason not to work with the asa. so your problem was you can't access (rdp) an internal server 192.168.18.18 from outside. i noticed from your configuration that 192.168.18.18 is actually  the inside ip address from the pix and the windows server was 192.168.218.222. so i suppose you changed the addressing and now your server have 192.168.18.18. than you need on the asa only these commands:

access-list outside permit tcp any interface outside eq 3389
access-group outside in int outside
static (inside,outside) tcp interface 3389 192.168.18.18 3389 netmask 255.255.255.255

actually on second read i can't find route to your 192.168.218.0 network. it wasn't  directly connected to your firewall, was it. you should have had route to this network on your pix to make it reachable.



0
 
hoggieeAuthor Commented:
egyptco:

Thanks for helping.  The IP for the internal server is actually 192.168.18.19 (i forgot to update it).  I have exactly the commands as told by on pix/asa, but still i cannot RDP to the internal server.  I tried other port e.g. www and FTP, all failed.  Any ideas?
0
 
egyptcoConnect With a Mentor Commented:
dunno it should work. make sure rdp is correctly configured on your server. you can try also one test. it is basically your old config redirect all traffic to your inside server.

access-list outside permit ip any interface outside
access-group outside in int outside
static (inside,outside) interface 192.168.18.19 netmask 255.255.255.255

and now from otside host ping the outside interface 60.x.y.16. and vice versa from the server try to ping something on internet.
check if you can ping inside interface 192.168.18.18 of the pix/asa from your server
check if you can ping your service provider router 60.x.y.15 from your pix/asa

somewhere you are losing readability because your configuration is correct.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.