Cisco ASA not allowing traffic on inbound rules

Hello,

I am replacing an old Smoothwall Firewall with a newly acquired Cisco ASA 5510.  I have configured the firewall with all the appropriate access rules to allow inbound RDP traffic for our outside developers.  But for some reason when I cut over to the new ASA, I could not get the RDP traffic working.  I compared the config to another ASA we have at a different location and my rules are exactly the same other than IP's and port numbers.  The only thing I can think of is there is some other rule on the firewall blocking the traffic.   When looking at the ADSM I do not see the hit count for the rules changing at all, almost like no traffic is hitting that IP at all.  I know traffic destined for that IP is being routed correctly as our Smoothwall is working fine.

Here is my config with the IP's changed for security reasons.


: Saved
:
ASA Version 8.0(3)
!
hostname 6955ASA
enable password xxxxxxxx encrypted
names
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 10.10.10.162 255.255.255.240
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 90
 ip address 192.168.4.1 255.255.255.0
 management-only
!
passwd xxxxxxxxx encrypted
ftp mode passive
clock timezone MST -7
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
object-group protocol TCPUDP
 protocol-object tcp
 protocol-object udp
object-group service 1-65000 tcp-udp
 port-object range 1 65000
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object icmp echo-reply
object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
 port-object eq pop3
 port-object eq smtp
access-list outside_access_in extended permit tcp any interface Outside eq 6969
access-list outside_access_in extended permit tcp any interface Outside eq 40466
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 8004
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 8013
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 8920
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 8950
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 8960
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 8980
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 8970
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 7892
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 8910
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 9040
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 9021
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 9060
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 8000
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 8020
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 8940
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 8040
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 7040
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 7030
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 7020
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 8010
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq www
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 9050
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 9010
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 7060
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 7050
access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 7070
access-list outside_access_in extended permit tcp any host 10.10.10.174 eq 5222
access-list outside_access_in extended permit udp any host 10.10.10.174 range 10000 20000
access-list outside_access_in extended permit udp any host 10.10.10.174 eq sip
access-list outside_access_in extended permit tcp any host 10.10.10.174 eq 6600
access-list outside_access_in extended permit tcp any host 10.10.10.174 eq ftp
access-list outside_access_in extended permit tcp any host 192.168.0.221 eq 7010
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.10.10.163 eq 6666
access-list Inside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 10.10.10.164 8004 192.168.0.110 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 8013 192.168.0.113 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 8950 192.168.0.85 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 8960 192.168.0.41 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 8980 192.168.0.233 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 8970 192.168.0.89 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 7892 192.168.0.119 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 8910 192.168.0.211 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 9040 192.168.0.181 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 9021 192.168.0.26 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 9060 192.168.0.230 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 8000 192.168.0.40 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 8020 192.168.0.217 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 8940 192.168.0.121 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 7040 192.168.0.224 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 7030 192.168.0.223 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 7020 192.168.0.222 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 9050 192.168.0.122 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 7060 192.168.0.226 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 7050 192.168.0.225 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 7070 192.168.0.227 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.10.10.164 7010 192.168.0.221 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 67.137.124.163 6666 192.168.0.39 3389 netmask 255.255.255.255
static (Outside,Inside) 67.137.124.0 192.168.0.0 netmask 255.255.255.0
static (Inside,Outside) 10.10.10.174 192.168.0.241 netmask 255.255.255.255
access-group outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 67.137.124.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.4.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map Outside_map1 1 match address Inside_1_cryptomap
crypto map Outside_map1 1 set pfs
crypto map Outside_map1 1 set peer 9.9.9.228
crypto map Outside_map1 1 set transform-set ESP-AES-128-MD5 ESP-AES-128-SHA
crypto map Outside_map1 interface Outside
crypto isakmp enable Outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.0.0 255.255.255.0 Inside
telnet 92.168.0.0 255.255.255.0 Inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 192.168.4.2-192.168.4.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
tunnel-group 9.9.9.228 type ipsec-l2l
tunnel-group 9.9.9.228 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9540ec2baad2c19c9a2326da0ea7a9c0
: end
asdm image disk0:/asdm-641.bin
no asdm history enable

Does anyone see what might be blocking this traffic?
NickLarsonAsked:
Who is Participating?
 
NickLarsonAuthor Commented:
Last night I swapped back over to our Cisco ASA.  I turned logging on but could not see any traffic hitting the ASA on the 10.10.10.164 IP.  So I called our ISP and had them clear the ARP cache on our router.  Once they did that everything started working.  We are good to go now.
0
 
John MeggersNetwork ArchitectCommented:
I must be missing where you've allowed RDP inbound.  I don't see port 3389 anywhere.
0
 
NickLarsonAuthor Commented:
If you look at the static nat's we are redirecting ports 3389 to different external ports.  i.e.

static (Inside,Outside) tcp 10.10.10.164 8004 192.168.0.110 3389 netmask 255.255.255.255

So the user would use 10.10.10.164:8004 from their end.  The ASA will see this incoming traffic and re-direct to 192.168.0.110 on 3389.  This is how we are doing it at another location and it is working flawlessly.  This allows us to use one external IP for multiple internal hosts.

This is the matching ACL

access-list outside_access_in extended permit tcp any host 10.10.10.164 eq 8004
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
MikeKaneCommented:
Config looks ok.  Nothing jumps out at me.  

You might want to issue a CLEAR XLATE and retest.    Make an attempt at the connection then issue a SHOW LOGGING do look for any dropped traffic.    I don't think you'll see anything here though.    You can then up the logging to debug level, retest, and SHOW LOGGING again.  This time, you should see the attempts incoming to the firewall.  

Can these hosts browse outbound?   This will ensure the firewall is connected, with correct routes and gateway to the outside world.  
0
 
SaineolaiCommented:
If you are not seeing any traffic hit the Access-List counters, could it be that the external address has been hardcoded to the MAC address of the SmoothWall?  
0
 
NickLarsonAuthor Commented:
I will run some logs tonight after everyone has left.  We had to put the old firewall back into production.

As for the MAC address, I thought that might be the case as well.  We added a permit ICMP any any for testing purposes and the hit counter on that one was going up.  so I know traffic was hitting our firewall.
0
 
SaineolaiCommented:
can you add a rule to permit icmp from any to 10.10.10.164 before the permit icmp any any rule, that will tell you whether traffic is getting through for the 10.10.10.164 address
0
 
NickLarsonAuthor Commented:
is that going to work though since we are only doing PAT on that IP?  Won't the firewall drop that traffic unless there is a 1:1 translation?  forgive me it's been about 8 years since I have working with pix/asa.
0
 
SaineolaiCommented:
That's a very good question, but based on the order of operations in the ASA it should hit the access-list before it finds out that there is only a port mapping and not a static nat in place.  I could be wrong on that though.

I suppose the best thing to do is look at entry in the access-list for one of the IP addresses that you have both PAT and ACL in place for.

If you are not seeing anything on that and you are on the interface address of the firewall then it really must be something external to the firewall, or related to ARP and MAC addresses.
0
 
NickLarsonAuthor Commented:
I was able to resolve this on my own.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.