Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1372
  • Last Modified:

Cisco ASA: Services terminating at interface are disabled.

When I tried to enter the following Static command onto my Cisco ASA 5510 firewall, I get the following messages:
static (inside,outside) interface 192.168.18.18 netmask 255.255.255.255 0 0

WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

I could perform the static command with my PIX515E firewall without any warnings, and the static translation worked ok.  But with ASA, the translation would not work.  Is this because by default, the translation to interface is disabled in ASA?  Please help.  Thank you.
0
hoggiee
Asked:
hoggiee
  • 4
  • 3
3 Solutions
 
ski3987Commented:
please let us see your full config
0
 
hoggieeAuthor Commented:
My fw config is very very long and due to security reason, I can't post it here.  I just want to find out if services terminating at an interface have been disabled on ASA, and if there is anyway to enable it.  Thanks.
0
 
egyptcoCommented:
well if you'd like to perform static translation, which redirects all inbound traffic to your server on inside 192.168.18.18, besides the static rule you need to allow traffic on the outside interface. e.g. you want only ssh

access-list acl-outside permit tcp any interface outside eq 22
access-group acl-outside in int outside

the warning message is pritty normal and what it says is that you redirecting all inbound traffic to single host 192.168.18.18 so in our example with ssh you wan't be able to terminate ssh to the firewall (no access with ssh to outside interface) or any other traffic (e.g. vpn), since all traffic is redirected to inside host. there must be other reason for your redirection not to work but from fragment information you provided it is hard to say. the warning message is not one of them.

just to add that using static like you did is not one of the best practices. instead of interface keyword better use one of external addresses from the range given you from your provider, which should represent your inside server into outside. if you have only single address assigned from ISP you still can do PAT static translation. back to our example:

static (inside,outside) tcp interface 22 192.168.18.18 22
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
hoggieeAuthor Commented:
I am only given 1 single fixed public IP by my ISP.  I actually tried the PAT static translation as what you told but I still cannot cannot to my internal server from outside.  I attach here my fw config.  This is the config of a PIX firewall, instead of ASA.  Since my initial attempts failed with ASA, I am trying my luck with my PIX firewall now.  Please help.  Thanks.
fwconf.txt
0
 
egyptcoCommented:
pretty much if it works with your pix i don't see any reason not to work with the asa. so your problem was you can't access (rdp) an internal server 192.168.18.18 from outside. i noticed from your configuration that 192.168.18.18 is actually  the inside ip address from the pix and the windows server was 192.168.218.222. so i suppose you changed the addressing and now your server have 192.168.18.18. than you need on the asa only these commands:

access-list outside permit tcp any interface outside eq 3389
access-group outside in int outside
static (inside,outside) tcp interface 3389 192.168.18.18 3389 netmask 255.255.255.255

actually on second read i can't find route to your 192.168.218.0 network. it wasn't  directly connected to your firewall, was it. you should have had route to this network on your pix to make it reachable.



0
 
hoggieeAuthor Commented:
egyptco:

Thanks for helping.  The IP for the internal server is actually 192.168.18.19 (i forgot to update it).  I have exactly the commands as told by on pix/asa, but still i cannot RDP to the internal server.  I tried other port e.g. www and FTP, all failed.  Any ideas?
0
 
egyptcoCommented:
dunno it should work. make sure rdp is correctly configured on your server. you can try also one test. it is basically your old config redirect all traffic to your inside server.

access-list outside permit ip any interface outside
access-group outside in int outside
static (inside,outside) interface 192.168.18.19 netmask 255.255.255.255

and now from otside host ping the outside interface 60.x.y.16. and vice versa from the server try to ping something on internet.
check if you can ping inside interface 192.168.18.18 of the pix/asa from your server
check if you can ping your service provider router 60.x.y.15 from your pix/asa

somewhere you are losing readability because your configuration is correct.
0
 
hoggieeAuthor Commented:
Found out that it's indeed a configuration mistake in the broadband router provided by ISP.  On the router, I configured a static NAT (DMZ option) on the IP of the router to the outside interface of my firewall.  Then on my firewall, another static translation from the interface to internal server as per you comment.  Everything works as I wish.  Thanks for your help.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now