Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
569
Views
0
Helpful
2
Replies

ASA 5505 no able to connect from outside

Go to solution
GQconnection
Level 1
Level 1

‎01-21-2014 01:48 PM - edited ‎03-11-2019 08:33 PM

                   I able to access internet but unable to connect to tghe servers behind the ASA. I can ping the router but I cannot ping the outside addresses i assigned to the servers. I want to use rdp to connect to the servers inside from the outside...HELP!

ASA Version 8.2(5)

!

hostname Kronos-Router

domain-name VIBES.Com

enable password DfAs0PFRiL encrypted

passwd DfAs0PFRiL encrypted

names

name 10.128.x.x MDS

name 10.128.x.x RouterAddress

name 10.128.x.x StaticGateway

name 192.168.x.x MDS_Server

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.x.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address RouterAddress 255.255.255.0

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server MDS_Server

domain-name VIBES.Com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP tcp

port-object eq 3389

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_0 tcp

group-object RDP

port-object eq www

port-object eq https

access-list Inside extended permit icmp host MDS_Server host MDS

access-list inside extended permit tcp any host MDS eq 3389

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq 10201

access-list outside_access_in extended permit tcp any any

access-list outside extended permit tcp any interface inside eq 3389

access-list outside_access_in_1 extended permit tcp any host MDS object-group DM_INLINE_TCP_0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.x.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 MDS_Server 3389 netmask 255.255.255.255

static (outside,inside) tcp MDS_Server 10201 MDS 10201 netmask 255.255.255.255

static (inside,outside) MDS MDS_Server netmask 255.255.255.255

!

router rip

!

route outside 0.0.0.0 0.0.0.0 StaticGateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http server session-timeout 15

http 192.168.x.0 255.255.255.0 inside

snmp-server host inside MDS_Server poll community ***** version 2c

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca server

shutdown

telnet 192.168.x.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 15

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server MDS_Server source inside prefer

webvpn

username cisco password miP9X7Qu1 encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3f58ff817809eec74bdb046658ced63a

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-21-2014 11:56 PM

Hi,

I am not sure if this ASA is behind another NAT device that is connected to the Internet or if this is some internal firewall or just a lab setup.

Seems to me that your main problem is that you have not attached any ACL to the external interface to allow this traffic.

Would seem to that you would only need the following "static" command of the ones you have listed.

static (inside,outside) MDS MDS_Server netmask 255.255.255.255

You should then build an ACL to allow the traffic to this server for the required ports

access-list OUTSIDE-IN permit icmp any host echo

access-list OUTSIDE-IN permit tcmp any host eq 3389

access-list OUTSIDE-IN permit tcmp any host eq 10201

Then you would attach this ACL to the interface with the following command

access-group OUTSIDE-IN in interface outside

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-21-2014 11:56 PM

Hi,

I am not sure if this ASA is behind another NAT device that is connected to the Internet or if this is some internal firewall or just a lab setup.

Seems to me that your main problem is that you have not attached any ACL to the external interface to allow this traffic.

Would seem to that you would only need the following "static" command of the ones you have listed.

static (inside,outside) MDS MDS_Server netmask 255.255.255.255

You should then build an ACL to allow the traffic to this server for the required ports

access-list OUTSIDE-IN permit icmp any host echo

access-list OUTSIDE-IN permit tcmp any host eq 3389

access-list OUTSIDE-IN permit tcmp any host eq 10201

Then you would attach this ACL to the interface with the following command

access-group OUTSIDE-IN in interface outside

- Jouni

0 Helpful

Go to solution
GQconnection
Level 1
Level 1
In response to Jouni Forss

‎01-22-2014 07:54 AM

Thanks JouniForss

I applied the changes and that correct the issue.

Also, I added the following line for the RDP connection:

access-list outside_access extended permit tcp any host object-group RDP

I am able to connect remotely to the server now.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card