01-28-2014 03:36 PM - edited 03-11-2019 08:37 PM
Hello,
I have an ASA 5505 Sec Plus with ASA 9.1. This firewall has been setup wth a static WAN IP, basic NAT/PAT, ALC's to allow web connectivity, and access to SSH and ASDM enabled. A management PC has been setup with Teamviewer and is directly connected to the firewall and is used for ASDM access. I also have SSH temporarily enabled on the outside for ease of access while I am getting this firewall initially configured.
The day that I configured this device I was able to Teamviewer into the management PC from a different network. I was also able to SSH into the firewall from a different network. I tested this multiple times that day from various networks, and it worked just fine.
A couple of days later I tried to login to the management PC but it appeared to be offline. I then attempted to SSH into the firewall, but I was not able to establish a connection via SSH either. I was not able to go on-site in person to check the firewall, but I had someone at that location confirm that the device was still connected and powered on.
Based on the configs below, does anyone have an idea as to why the connection would sudenly go dead after that first day? Does this sound like a hardware failure? What can I do to further troubleshoot?
Thanks!
asa5505# sh run
: Saved
:
ASA Version 9.1(2)
!
hostname asa5505
domain-name default.domain.invalid
enable password eDNDD7lBLzSPpYwe encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description Inside interface
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0
!
interface Vlan2
description Outside interface
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.240
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 208.67.222.222
name-server 75.75.75.75
domain-name default.domain.invalid
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-subnet
subnet 10.10.10.0 255.255.255.0
object-group service Internet-udp udp
description Standard UDP Internet services
port-object eq domain
port-object eq ntp
object-group service Internet-tcp tcp
description Standard TCP Internet services
port-object eq www
port-object eq https
port-object eq domain
access-list inside-in remark -=[Access lists to allow Internet TCP/UDP outgoing packets from inside interface]=-
access-list inside-in extended permit udp 10.10.10.0 255.255.255.0 any object-group Internet-udp
access-list inside-in extended permit tcp 10.10.10.0 255.255.255.0 any object-group Internet-tcp
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
object network inside-subnet
nat (inside,outside) dynamic interface
access-group inside-in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 10.10.10.1 255.255.255.255 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username xxxxxxx password wwmM/Ms2vq88kRD4 encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:56f0ee6b06aef749dc1dda4197bbd2cc
: end
Solved! Go to Solution.
01-28-2014 08:24 PM
No,
That's not the case.
You have an internal address range of 10.10.10.x
This is a private range.
In order for you to access your PC you from the internet your PC should look like a public IP address.
Do the following
object network Team-Viewer
host 10.10.10.x (team viewer PC IP)
exit
object service TCP_80
service tcp source eq 80
exit
nat (inside,outside) source static Team-Viewer interface service TCP_80 TCP_80
access-list outside_in permit tcp any host 10.10.10.x (Team Viewer PC IP address) eq 80
access-group outside_in in interface outside
With this anyone will be able to open a TCP connection to that Team Viewer PC over port 80
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-28-2014 04:43 PM
Hello Austin,
Well you have SSH enabled on the outside
ssh 0.0.0.0 0.0.0.0 outside
My recomendation is to take a capture while trying to connect
capture capout interface outside match tcp any host x.x.x.x (ASA IP Address) eq 22
For access to the Inside host from the internet you will need to have a static NAT configured or a port-forwarding that allows access from Out to In to a public IP address.
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-28-2014 07:51 PM
Julio,
Thanks for the suggestions.
My understanding is that Teamviewer runs over http (port 80). As you can see in the "Internet-tcp" object group, http is being allowed. In my initial tests I was able to connect to the internet just fine from the Teamviewer host, and I was also able to remote in to the Teamviewer host from a different network. Since Teamviewer runs over http do I really nedd a static NAT?
Thanks!
01-28-2014 08:17 PM
After re-visiting the configs again I am thinking that there is an issue with my NAT statement. Currently I have nat (inside,outside) dynamic interface. Since my outside interface has a static IP assigned I am thinking that this command should be replaced with nat (inside,outside) static interface.
Can anyone confirm whether this is the case?
Thanks!
01-28-2014 08:24 PM
No,
That's not the case.
You have an internal address range of 10.10.10.x
This is a private range.
In order for you to access your PC you from the internet your PC should look like a public IP address.
Do the following
object network Team-Viewer
host 10.10.10.x (team viewer PC IP)
exit
object service TCP_80
service tcp source eq 80
exit
nat (inside,outside) source static Team-Viewer interface service TCP_80 TCP_80
access-list outside_in permit tcp any host 10.10.10.x (Team Viewer PC IP address) eq 80
access-group outside_in in interface outside
With this anyone will be able to open a TCP connection to that Team Viewer PC over port 80
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-29-2014 09:21 PM
Julio,
Thanks again for the help.
That would work, but isn't this a static NAT? I wouldn't want to use a static NAT to the Teamviewer host because then all of my web traffic would be directed towards that single host. That's not going to work.
Do I need to open up port 80 to any inside destination?
Thanks!
01-29-2014 10:12 PM
Hello,
All web traffic from the outside to the inside. Not from the inside to the outside..
I do not see any HTTP server configuration on your ASA so it would not affect.
That being said only opening the Port will not work You already have the solution, let me know if you need something else
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-31-2014 10:08 AM
Julio,
Thanks for the simple explanation. Instead of using Teamviewer, I switched to UltraVNC, so I switched port 80 with 5900. Your commands worked great - VNC from remote is working just fine. Here is what I ended up applying to the firewall:
object network VNC
host 10.10.10.x
exit
object service TCP_5900
service tcp source eq 5900
exit
nat (inside,outside) source static VNC interface service TCP_5900 TCP_5900
access-list outside_in permit tcp any host 10.10.10.x eq 5900
access-group outside_in in interface outside
Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide