https://community.cisco.com/t5/network-security/denying-traffic/m-p/1602014#M559889 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply Jennifer,</P><P></P><P>I can confirm that it's.</P><P></P><P>ASA# sh run access-group <BR />access-group DMZ_access_in in interface DMZ<BR />access-group outside_access_in in interface outside</P><P></P><P>The 192.168.1.1 is part of a subnet that is routed to the firewall and not used anywhere else but it's not in the same subnet as the outside interface. The outside interface is 192.168.1.248.0/29.</P><P></P><P>I have also configured Clientless SSL VPN on this ASA and it stopped authenticating users when trying to loing. I had to reboot it and it is fixed now, so not sure why that happened.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 16 Mar 2011 01:37:34 GMT hadisharifi 2011-03-16T01:37:34Z https://community.cisco.com/t5/network-security/denying-traffic/m-p/1602012#M559884 <P>Hi, I am new to ASA specially 8.3. I have configured static NAT with port translation as per the following: The traffic flow is from outside to DMZ on port 3389.</P><P></P><P>Object network Terminal-Server</P><P>host 10.0.22.51</P><P>Object network Streamer</P><P>host 10.0.22.50</P><P></P><P>Object network Terminal-Server</P><P>nat (DMZ,outside) static 192.168.1.1 service tcp 3389 3389</P><P></P><P>Object network Streamer</P><P>nat (DMZ,outside) static 192.168.1.1 service tcp www www</P><P></P><P>access-list outside_access_in extended permit tcp any object Terminal-Server eq 3389</P><P>access-list outside_access_in extended permit tcp any object Streamer eq www</P><P></P><P></P><P>When tryign to RDP to 192.168.1.1 on port 3389 the log on the ASA says:</P><P></P><P>Inbound TCP connection denied from x.x.x.x/52413 to 192.168.1.1/3389 flag SYN on interface outside</P><P></P><P></P><P>Can someone please point what I am doing wrong?</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 20:07:34 GMT https://community.cisco.com/t5/network-security/denying-traffic/m-p/1602012#M559884 hadisharifi 2019-03-11T20:07:34Z https://community.cisco.com/t5/network-security/denying-traffic/m-p/1602013#M559886 <HTML><HEAD></HEAD><BODY><P>Can you confirm if your access-list is applied to the outside interface:</P><P></P><P>access-group outside_access_in in interface outside</P><P></P><P>Also, is 192.168.1.1 a spare ip address in the same subnet as the outside interface?</P></BODY></HTML> Wed, 16 Mar 2011 01:20:35 GMT https://community.cisco.com/t5/network-security/denying-traffic/m-p/1602013#M559886 Jennifer Halim 2011-03-16T01:20:35Z https://community.cisco.com/t5/network-security/denying-traffic/m-p/1602014#M559889 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply Jennifer,</P><P></P><P>I can confirm that it's.</P><P></P><P>ASA# sh run access-group <BR />access-group DMZ_access_in in interface DMZ<BR />access-group outside_access_in in interface outside</P><P></P><P>The 192.168.1.1 is part of a subnet that is routed to the firewall and not used anywhere else but it's not in the same subnet as the outside interface. The outside interface is 192.168.1.248.0/29.</P><P></P><P>I have also configured Clientless SSL VPN on this ASA and it stopped authenticating users when trying to loing. I had to reboot it and it is fixed now, so not sure why that happened.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 16 Mar 2011 01:37:34 GMT https://community.cisco.com/t5/network-security/denying-traffic/m-p/1602014#M559889 hadisharifi 2011-03-16T01:37:34Z https://community.cisco.com/t5/network-security/denying-traffic/m-p/1602015#M559892 <HTML><HEAD></HEAD><BODY><P>Might need to see the complete ACL to see why it's being denied.</P><P>Do you happen to have any "deny" statement above the specific "permit" that might be denying the traffic?</P></BODY></HTML> Wed, 16 Mar 2011 01:47:25 GMT https://community.cisco.com/t5/network-security/denying-traffic/m-p/1602015#M559892 Jennifer Halim 2011-03-16T01:47:25Z https://community.cisco.com/t5/network-security/denying-traffic/m-p/1602016#M559893 <HTML><HEAD></HEAD><BODY><P>Thanks for your help, my bad as I had a nat pool with the IP address used for static NAT. I have removed this nad everyting is working fine.</P><P></P><P>However Clinetless SSL VPN is not authenticating users after a while when they are logged in, it simply says login failed and reprompts for username and password. The same username and password can be used to telnet to ASA and it works fine. Last time I rebooted the ASA which fixed the problem but I can't do this everytime this happens.</P><P></P><P>Do you know what could be causing this?</P><P></P><P>Thanks</P></BODY></HTML> Wed, 16 Mar 2011 02:53:04 GMT https://community.cisco.com/t5/network-security/denying-traffic/m-p/1602016#M559893 hadisharifi 2011-03-16T02:53:04Z https://community.cisco.com/t5/network-security/denying-traffic/m-p/1602017#M559894 <HTML><HEAD></HEAD><BODY><P>How many SSL VPN license do you have?</P><P>Have you exhausted the number of concurrent SSL VPN connections?</P><P></P><P>Can you share a copy of "show version" and also the output of "sh vpn-sessiondb summary"</P></BODY></HTML> Wed, 16 Mar 2011 04:59:11 GMT https://community.cisco.com/t5/network-security/denying-traffic/m-p/1602017#M559894 Jennifer Halim 2011-03-16T04:59:11Z