Solved

Cisco ASA: Services terminating at interface are disabled.

Posted on 2009-05-11
8
1,333 Views
Last Modified: 2012-05-06
When I tried to enter the following Static command onto my Cisco ASA 5510 firewall, I get the following messages:
static (inside,outside) interface 192.168.18.18 netmask 255.255.255.255 0 0

WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

I could perform the static command with my PIX515E firewall without any warnings, and the static translation worked ok.  But with ASA, the translation would not work.  Is this because by default, the translation to interface is disabled in ASA?  Please help.  Thank you.
0
Comment
Question by:hoggiee
  • 4
  • 3
8 Comments
 
LVL 1

Expert Comment

by:ski3987
ID: 24361338
please let us see your full config
0
 

Author Comment

by:hoggiee
ID: 24361588
My fw config is very very long and due to security reason, I can't post it here.  I just want to find out if services terminating at an interface have been disabled on ASA, and if there is anyway to enable it.  Thanks.
0
 
LVL 7

Assisted Solution

by:egyptco
egyptco earned 500 total points
ID: 24362582
well if you'd like to perform static translation, which redirects all inbound traffic to your server on inside 192.168.18.18, besides the static rule you need to allow traffic on the outside interface. e.g. you want only ssh

access-list acl-outside permit tcp any interface outside eq 22
access-group acl-outside in int outside

the warning message is pritty normal and what it says is that you redirecting all inbound traffic to single host 192.168.18.18 so in our example with ssh you wan't be able to terminate ssh to the firewall (no access with ssh to outside interface) or any other traffic (e.g. vpn), since all traffic is redirected to inside host. there must be other reason for your redirection not to work but from fragment information you provided it is hard to say. the warning message is not one of them.

just to add that using static like you did is not one of the best practices. instead of interface keyword better use one of external addresses from the range given you from your provider, which should represent your inside server into outside. if you have only single address assigned from ISP you still can do PAT static translation. back to our example:

static (inside,outside) tcp interface 22 192.168.18.18 22
0
 

Author Comment

by:hoggiee
ID: 24372309
I am only given 1 single fixed public IP by my ISP.  I actually tried the PAT static translation as what you told but I still cannot cannot to my internal server from outside.  I attach here my fw config.  This is the config of a PIX firewall, instead of ASA.  Since my initial attempts failed with ASA, I am trying my luck with my PIX firewall now.  Please help.  Thanks.
fwconf.txt
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 7

Expert Comment

by:egyptco
ID: 24372624
pretty much if it works with your pix i don't see any reason not to work with the asa. so your problem was you can't access (rdp) an internal server 192.168.18.18 from outside. i noticed from your configuration that 192.168.18.18 is actually  the inside ip address from the pix and the windows server was 192.168.218.222. so i suppose you changed the addressing and now your server have 192.168.18.18. than you need on the asa only these commands:

access-list outside permit tcp any interface outside eq 3389
access-group outside in int outside
static (inside,outside) tcp interface 3389 192.168.18.18 3389 netmask 255.255.255.255

actually on second read i can't find route to your 192.168.218.0 network. it wasn't  directly connected to your firewall, was it. you should have had route to this network on your pix to make it reachable.



0
 

Author Comment

by:hoggiee
ID: 24372688
egyptco:

Thanks for helping.  The IP for the internal server is actually 192.168.18.19 (i forgot to update it).  I have exactly the commands as told by on pix/asa, but still i cannot RDP to the internal server.  I tried other port e.g. www and FTP, all failed.  Any ideas?
0
 
LVL 7

Assisted Solution

by:egyptco
egyptco earned 500 total points
ID: 24372862
dunno it should work. make sure rdp is correctly configured on your server. you can try also one test. it is basically your old config redirect all traffic to your inside server.

access-list outside permit ip any interface outside
access-group outside in int outside
static (inside,outside) interface 192.168.18.19 netmask 255.255.255.255

and now from otside host ping the outside interface 60.x.y.16. and vice versa from the server try to ping something on internet.
check if you can ping inside interface 192.168.18.18 of the pix/asa from your server
check if you can ping your service provider router 60.x.y.15 from your pix/asa

somewhere you are losing readability because your configuration is correct.
0
 

Accepted Solution

by:
hoggiee earned 0 total points
ID: 24404761
Found out that it's indeed a configuration mistake in the broadband router provided by ISP.  On the router, I configured a static NAT (DMZ option) on the IP of the router to the outside interface of my firewall.  Then on my firewall, another static translation from the interface to internal server as per you comment.  Everything works as I wish.  Thanks for your help.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Gateway Resilience 4 49
2960 and a VLAN id of 1237 2 48
RDP on 4321 Router 33 49
Issue with seeing default gateway on ASA 5506 firewall 4 31
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now