Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1944
Views
0
Helpful
4
Replies

Cisco ASA 5510 cannot connect to site through appliance

dancumming
Level 1
Level 1

‎03-22-2011 06:35 AM - edited ‎03-11-2019 01:10 PM

Good morning,

I have an @Remote appliance through Ricoh for our copiers.  This appliance connects to their site to transfer meter readings and other information.  This appliance can't connect to their site to transmit data.  Ricoh is telling me the problem is on our firewill.  I have assigned the Ricoh appliance a static IP address in our network.  Our firewall is a Cisco ASA 5510.  I don't have much expereince with logging on the ASA, so I'm not sure what "teardown dynamic TCP translation from inside" means.  Is there something that is preventing this IP from contacting the Ricoh site?

Here is the live log when I try to make the connection.  I have filtered it for the address of the appliance which is 172.16.1.135

6|Mar 22 2011 08:55:58|305012: Teardown dynamic TCP translation from inside:172.16.1.135/60407 to outside:208.39.161.66/21292 duration 0:00:30
6|Mar 22 2011 08:55:55|305012: Teardown dynamic TCP translation from inside:172.16.1.135/43888 to outside:208.39.161.66/21289 duration 0:00:30
6|Mar 22 2011 08:55:51|305012: Teardown dynamic TCP translation from inside:172.16.1.135/54308 to outside:208.39.161.66/21284 duration 0:00:30
6|Mar 22 2011 08:55:48|305012: Teardown dynamic TCP translation from inside:172.16.1.135/35539 to outside:208.39.161.66/21282 duration 0:00:30
6|Mar 22 2011 08:55:47|305012: Teardown dynamic ICMP translation from inside:172.16.1.135/796 to outside:208.39.161.66/13 duration 0:00:30
6|Mar 22 2011 08:55:28|302014: Teardown TCP connection 312519 for outside:210.173.216.40/443 to inside:172.16.1.135/60407 duration 0:00:00 bytes 91 TCP Reset-I
6|Mar 22 2011 08:55:28|302013: Built outbound TCP connection 312519 for outside:210.173.216.40/443 (210.173.216.40/443) to inside:172.16.1.135/60407 (208.39.161.66/21292)
6|Mar 22 2011 08:55:28|305011: Built dynamic TCP translation from inside:172.16.1.135/60407 to outside:208.39.161.66/21292
6|Mar 22 2011 08:55:25|302014: Teardown TCP connection 312496 for outside:210.173.216.40/443 to inside:172.16.1.135/43888 duration 0:00:00 bytes 91 TCP Reset-I
6|Mar 22 2011 08:55:25|302013: Built outbound TCP connection 312496 for outside:210.173.216.40/443 (210.173.216.40/443) to inside:172.16.1.135/43888 (208.39.161.66/21289)
6|Mar 22 2011 08:55:25|305011: Built dynamic TCP translation from inside:172.16.1.135/43888 to outside:208.39.161.66/21289
6|Mar 22 2011 08:55:22|302014: Teardown TCP connection 312371 for outside:210.173.216.40/443 to inside:172.16.1.135/54308 duration 0:00:00 bytes 91 TCP Reset-I
6|Mar 22 2011 08:55:21|302013: Built outbound TCP connection 312371 for outside:210.173.216.40/443 (210.173.216.40/443) to inside:172.16.1.135/54308 (208.39.161.66/21284)
6|Mar 22 2011 08:55:21|305011: Built dynamic TCP translation from inside:172.16.1.135/54308 to outside:208.39.161.66/21284
6|Mar 22 2011 08:55:19|302021: Teardown ICMP connection for faddr 210.173.216.40/0 gaddr 208.39.161.66/13 laddr 172.16.1.135/796
6|Mar 22 2011 08:55:18|302014: Teardown TCP connection 312258 for outside:210.173.216.40/443 to inside:172.16.1.135/35539 duration 0:00:00 bytes 91 TCP Reset-I
6|Mar 22 2011 08:55:18|302013: Built outbound TCP connection 312258 for outside:210.173.216.40/443 (210.173.216.40/443) to inside:172.16.1.135/35539 (208.39.161.66/21282)
6|Mar 22 2011 08:55:18|305011: Built dynamic TCP translation from inside:172.16.1.135/35539 to outside:208.39.161.66/21282
6|Mar 22 2011 08:55:17|302020: Built outbound ICMP connection for faddr 210.173.216.40/0 gaddr 208.39.161.66/13 laddr 172.16.1.135/796
6|Mar 22 2011 08:55:17|305011: Built dynamic ICMP translation from inside:172.16.1.135/796 to outside:208.39.161.66/13
6|Mar 22 2011 08:54:54|305012: Teardown dynamic ICMP translation from inside:172.16.1.135/794 to outside:208.39.161.66/12 duration 0:00:30
6|Mar 22 2011 08:54:26|302021: Teardown ICMP connection for faddr 210.173.216.40/0 gaddr 208.39.161.66/12 laddr 172.16.1.135/794
6|Mar 22 2011 08:54:24|302020: Built outbound ICMP connection for faddr 210.173.216.40/0 gaddr 208.39.161.66/12 laddr 172.16.1.135/794
6|Mar 22 2011 08:54:24|305011: Built dynamic ICMP translation from inside:172.16.1.135/794 to outside:208.39.161.66/12

Here is the config for my ASA

Bordentown-PIX# show run
: Saved
:
ASA Version 7.0(8)
!
hostname Bordentown-PIX
domain-name bordentown.k12.nj.us
enable password A8EW9svYyTEcA4Ua encrypted
passwd A8EW9svYyTEcA4Ua encrypted
no names
name 172.16.1.41 BRSDPROXY
name 172.16.1.253 Voice_conf
name 208.39.161.68 Voice_conf_out
name 172.16.1.8 bordentownfs2
name 172.16.1.43 btprx
name 172.16.1.6 pri_ComCastMail
name 172.16.1.201 pri_bordentodell1
name 172.16.1.22 pri_brvstream
name 172.16.1.26 pri_remoteacc
name 172.16.1.200 pri_service_2
name 208.39.161.70 pub_ComCastMail
name 208.39.161.67 pub_bordentdell1
name 208.39.161.73 pub_bordentownfs2
name 208.39.161.72 pub_brvstream
name 208.39.161.76 pub_bsdinfosys
name 208.39.161.74 pub_remoteacc

name 208.39.161.69 pub_service_2
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 208.39.161.66 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.5.1 255.255.0.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
object-group service wwww tcp
port-object eq www
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit tcp host 172.16.1.22 eq 8002 any
access-list inside_access_in extended permit tcp host 172.16.1.22 eq domain any
access-list inside_access_in extended permit tcp host 172.16.1.22 eq www any
access-list inside_access_in extended permit tcp host 172.16.1.135 eq https any
access-list inside_access_in extended permit tcp host 172.16.1.135 eq www any
access-list acl_in extended permit icmp any any
access-list acl_out extended permit icmp any any
access-list acl_out extended permit ip host 172.16.1.22 any
access-list acl_out extended permit ip host 172.16.1.43 any
access-list acl_out extended permit ip host 172.16.1.201 any
access-list acl_out extended permit ip host 172.16.1.51 any
access-list acl_out extended permit ip host 172.16.1.52 any
access-list acl_out extended permit ip host 172.16.1.53 any
access-list acl_out extended permit tcp any host 208.39.161.72 eq www
access-list acl_out extended permit ip host 172.16.1.226 any
access-list acl_out extended permit ip host 172.16.1.242 any
access-list acl_out extended permit ip host 172.16.1.1 any
access-list acl_out extended permit ip host 172.16.2.9 any
access-list acl_out extended permit ip host 172.16.1.6 any
access-list acl_out extended permit ip host 172.16.1.8 any
access-list acl_out extended permit ip host 172.16.1.35 any
access-list acl_out extended permit ip host 172.16.1.41 any
access-list acl_out extended permit ip host 172.16.1.230 any
access-list acl_out extended permit ip host 172.16.1.231 any
access-list acl_out extended permit ip host 172.16.1.200 any
access-list acl_out extended permit ip host 172.16.1.48 any
access-list acl_out extended permit ip host 172.16.1.24 any
access-list acl_out extended permit ip host 172.16.1.26 any
access-list acl_out extended permit ip host 172.16.1.250 any
access-list acl_out extended permit ip host 172.16.3.36 any
access-list acl_out extended permit ip host 172.16.4.110 any
access-list acl_out extended permit ip host 172.16.1.240 any
access-list acl_out extended permit ip host 172.16.1.229 any
access-list acl_out extended permit ip host 192.168.0.2 any
access-list acl_out extended permit ip host 172.16.1.241 any
access-list acl_out extended permit ip host 172.16.1.221 any
access-list acl_out extended permit ip host 172.16.1.222 any
access-list acl_out extended permit ip host 172.16.1.223 any
access-list acl_out extended permit ip host 172.16.1.224 any
access-list acl_out extended permit ip host 172.16.1.225 any
access-list acl_out extended permit ip host 172.16.1.227 any
access-list acl_out extended permit ip host 172.16.1.228 any
access-list acl_out extended permit ip host 172.16.1.232 any
access-list acl_out extended permit ip host 172.16.1.233 any
access-list acl_out extended permit ip host 172.16.1.234 any
access-list acl_out extended permit ip host 172.16.1.235 any
access-list acl_out extended permit ip host 172.16.1.243 any
access-list acl_out extended permit ip host 172.16.2.118 any
access-list acl_out extended permit ip host 172.16.1.130 any
access-list acl_out extended permit ip host 172.16.1.131 any
access-list acl_out extended permit ip host 172.16.1.132 any
access-list acl_out extended permit ip host 172.16.1.7 any
access-list acl_out extended permit ip host 172.16.1.202 any
access-list acl_out extended permit ip host 192.168.0.3 any
access-list acl_out extended permit ip host 172.16.2.177 any
access-list acl_out extended permit ip host 172.16.1.253 any
access-list acl_out extended permit ip host 172.16.1.14 any
access-list acl_out extended permit tcp any host 172.16.3.135 eq 5806
access-list acl_out extended permit tcp any host 172.16.1.31 eq ssh
access-list acl_out extended permit ip host 172.16.5.17 any
access-list acl_out extended permit ip host 172.16.5.18 any
access-list acl_out extended permit ip host 172.16.1.135 any
access-list dns extended permit udp any any
access-list dnstcp extended permit tcp any any
access-list dmz_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 208.39.161.73 eq www
access-list outside_acl extended permit tcp any host 208.39.161.70 eq smtp
access-list outside_acl extended permit tcp any host 208.39.161.70 eq pop3
access-list outside_acl extended permit tcp any host 208.39.161.70 eq imap4
access-list outside_acl extended permit tcp any host 208.39.161.70 eq 444
access-list outside_acl extended permit icmp any any
access-list outside_acl extended permit tcp any host 208.39.161.70 eq www
access-list outside_acl extended permit tcp any host 208.39.161.70 eq ssh
access-list outside_acl extended permit tcp any host 208.39.161.67 eq 3389
access-list outside_acl extended permit tcp any host 208.39.161.70 eq irc
access-list outside_acl extended permit tcp any host 208.39.161.72 eq www
access-list outside_acl extended permit tcp any host 208.39.161.74 eq www
access-list outside_acl extended permit tcp any host 208.39.161.74 eq 3389
access-list outside_acl extended permit tcp any host 208.39.161.74 eq 8080
access-list outside_acl extended permit tcp any host 208.39.161.74 eq 1755
access-list outside_acl extended permit tcp any host 208.39.161.73 eq 3101
access-list outside_acl extended permit tcp any host 208.39.161.73 eq www
access-list outside_acl extended permit tcp any host 208.39.161.67 eq www
access-list outside_acl extended permit tcp any host 208.39.161.68 eq smtp
access-list outside_acl extended permit tcp any host 208.39.161.68 eq www
access-list outside_acl extended permit tcp any host 208.39.161.76 eq 3389
access-list outside_acl extended permit tcp any host 208.39.161.76 eq 407
access-list outside_acl extended permit tcp any host 208.39.161.76 eq 1417
access-list outside_acl extended permit tcp any host 208.39.161.76 eq 1418
access-list outside_acl extended permit tcp any host 208.39.161.76 eq 1419
access-list outside_acl extended permit tcp any host 208.39.161.76 eq 1420
access-list outside_acl extended permit udp any host 208.39.161.76 eq 1417
access-list outside_acl extended permit udp any host 208.39.161.76 eq 1418
access-list outside_acl extended permit udp any host 208.39.161.76 eq 1419
access-list outside_acl extended permit udp any host 208.39.161.76 eq 1420
access-list outside_acl extended permit udp any host 208.39.161.76 eq 407
access-list outside_acl extended permit tcp any host 208.39.161.76 eq https
access-list outside_acl extended permit tcp any host 208.39.161.76 eq www
access-list outside_acl extended permit tcp any host 208.39.161.76 eq 7880
access-list outside_acl extended permit tcp any host 208.39.161.76 eq smtp
access-list outside_acl extended permit tcp any host 208.39.161.76 eq 8080
access-list outside_acl extended permit udp any host 208.39.161.76 eq 8080
access-list outside_acl extended permit udp any host 208.39.161.72 eq 444
access-list outside_acl extended permit tcp any host 208.39.161.72 eq 444
access-list outside_acl extended permit tcp any host 208.39.161.76 eq 444
access-list outside_acl extended permit udp any host 208.39.161.76 eq 444
access-list outside_acl extended permit tcp any host 208.39.161.76 eq 4125
access-list outside_acl extended permit udp any host 208.39.161.76 eq 4125
access-list outside_acl extended permit tcp any host 208.39.161.70 eq 3389
access-list outside_acl extended permit tcp any host 208.39.161.70 eq https
access-list outside_acl extended permit udp any host 208.39.161.72 eq www
access-list outside_acl extended permit udp any host 208.39.161.70 eq 443
access-list outside_acl extended permit tcp any host 208.39.161.66 eq https
access-list outside_acl extended permit udp any host 208.39.161.66 eq 443
access-list outside_acl extended permit tcp any host 208.39.161.75 eq smtp
access-list outside_acl extended permit udp any host 208.39.161.75 eq 25
access-list outside_acl extended permit tcp any host 208.39.161.66 eq smtp
access-list outside_acl extended permit tcp any host 208.39.161.68 eq https
access-list outside_acl extended permit tcp any host 208.39.161.70 eq 81
access-list outside_acl extended permit tcp any host 208.39.161.70 eq 6891
access-list outside_acl extended permit tcp any host 208.39.161.67 eq 5641
access-list outside_acl extended permit udp any host 208.39.161.67 eq 5641
access-list outside_acl extended permit tcp any host 208.39.161.76 eq 4550
access-list outside_acl extended permit tcp any host 208.39.161.76 eq 5550
access-list outside_acl extended permit tcp any host 208.39.161.74 eq 2512
access-list outside_acl extended permit tcp any host 208.39.161.74 eq 2513
access-list outside_acl extended permit tcp any host 208.39.161.72 eq 1701
access-list outside_acl extended permit tcp any host 208.39.161.74 eq 1701
access-list outside_acl extended permit tcp any host 208.39.161.74 eq 1702
access-list outside_acl extended permit tcp any host 208.39.161.76 eq 1702
access-list outside_acl extended permit tcp any host 208.39.161.76 eq 1701
access-list outside_acl extended permit tcp any host 208.39.161.67 eq 210
access-list outside_acl extended permit tcp any host 208.39.161.67 eq 7090
access-list outside_acl extended permit tcp any host 208.39.161.67 eq 5151
access-list outside_acl extended permit tcp any host 208.39.161.68 eq 210
access-list outside_acl extended permit tcp any host 208.39.161.68 eq 7090
access-list outside_acl extended permit tcp any host 208.39.161.68 eq 5151
access-list outside_acl extended permit tcp any host 208.39.161.68 eq h323
access-list outside_acl extended permit tcp any host 208.39.161.68 eq 555
access-list outside_acl extended permit tcp any host 208.39.161.68 eq 556
access-list outside_acl extended permit tcp any host 208.39.161.68 eq 1718
access-list outside_acl extended permit udp any host 208.39.161.68 eq 1719
access-list outside_acl extended permit tcp any host 208.39.161.71 eq https
access-list outside_acl extended permit tcp any host 208.39.161.69 eq smtp
access-list outside_acl extended permit tcp any host 208.39.161.69 eq pop3
access-list outside_acl extended permit tcp any host 208.39.161.69 eq imap4
access-list outside_acl extended permit tcp any host 208.39.161.69 eq www
access-list outside_acl extended permit tcp any host 208.39.161.69 eq citrix-ica

access-list outside_acl extended permit tcp any host 208.39.161.69 eq 1604
access-list outside_acl extended permit tcp any host 208.39.161.69 eq 1023
access-list outside_acl extended permit tcp any host 208.39.161.69 eq 1431
access-list outside_acl extended permit tcp any host 208.39.161.69 eq 8081
access-list outside_acl extended permit tcp any host 208.39.161.66 eq ftp
access-list outside_acl extended permit tcp any host 208.39.161.75 eq ftp
access-list outside_acl extended permit tcp any host 208.39.161.66 eq ftp-data
access-list outside_acl extended permit tcp any host 172.17.1.103 eq smtp
access-list outside_acl extended permit tcp any host 172.17.1.103 eq imap4
access-list outside_acl extended permit tcp any host 208.39.161.75 eq 4125
access-list outside_acl extended permit tcp any host 208.39.161.65 eq 4125
access-list outside_acl extended permit udp any host 208.39.161.65 eq 4125
access-list outside_acl extended permit udp any host 208.39.161.66 eq 4125
access-list outside_acl extended permit tcp any host 208.39.161.66 eq 4125
access-list outside_acl extended permit tcp any host 208.39.161.66 eq 3389
access-list outside_acl extended permit tcp any host 208.39.161.65 eq 3389
access-list outside_acl extended permit tcp any host 208.39.161.75 eq 3389
access-list outside_acl extended permit tcp any host 208.39.161.75 eq 5806
access-list outside_acl extended permit tcp any host 208.39.161.65 eq 5806
access-list outside_acl extended permit udp any host 208.39.161.65 eq 5806
access-list outside_acl extended permit udp any host 208.39.161.75 eq 5806
access-list outside_acl extended permit tcp any host 208.39.161.71 eq ssh
pager lines 24
logging enable
logging list high-priority level errors
logging asdm informational
logging from-address administrator@bordentown.k12.nj.us
logging recipient-address administrator@bordentown.k12.nj.us level errors
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 208.39.161.73 netmask 255.255.255.255
nat (inside) 3 172.16.1.7 255.255.255.255
nat (inside) 1 172.16.0.0 255.255.0.0
nat (inside) 1 172.17.0.0 255.255.0.0
nat (DMZ) 1 192.168.0.0 255.255.255.0
static (inside,outside) 208.39.161.74 172.16.1.26 netmask 255.255.255.255
static (inside,outside) 208.39.161.75 172.16.1.43 netmask 255.255.255.255
static (inside,outside) 208.39.161.67 172.16.1.201 netmask 255.255.255.255
static (inside,outside) 208.39.161.72 172.16.1.22 netmask 255.255.255.255
static (inside,outside) 208.39.161.69 172.16.1.200 netmask 255.255.255.255
static (inside,outside) 208.39.161.76 172.16.1.242 netmask 255.255.255.255
static (inside,outside) 208.39.161.70 172.16.1.6 netmask 255.255.255.255
static (inside,outside) 208.39.161.73 172.16.1.8 netmask 255.255.255.255
static (inside,outside) 208.39.161.68 172.16.1.35 netmask 255.255.255.255
static (inside,outside) 208.39.161.71 172.16.1.31 netmask 255.255.255.255
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 208.39.161.66 1
route inside 172.30.0.0 255.255.0.0 172.16.6.1 1
route inside 172.17.0.0 255.255.0.0 172.16.6.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 208.39.161.65 255.255.255.255 inside
telnet 208.39.161.64 255.255.255.252 inside
telnet 172.16.0.0 255.255.0.0 inside
telnet 208.39.161.65 255.255.255.255 DMZ
telnet 208.39.161.64 255.255.255.252 DMZ
telnet timeout 30
ssh 63.214.17.0 255.255.255.0 outside
ssh 68.44.187.221 255.255.255.255 outside
ssh 65.217.171.0 255.255.255.0 outside
ssh 68.81.65.0 255.255.255.0 outside
ssh timeout 45
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect rsh
  inspect rtsp
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect http
  inspect ils
  inspect ftp
!
service-policy global_policy global
smtp-server 172.16.1.6
Cryptochecksum:65bcb0e163783400f6c65c2b8a780d0f
: end

Any help would be appreciated.  Thank you!

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎03-22-2011 09:38 PM

Is Ricoh expecting a specific public IP Address? or they are accepting any public IP Addresses?

I can see that you have configured static NAT translation for the appliance:

static (inside,outside) 208.39.161.68 172.16.1.35 netmask 255.255.255.255

However, it still uses the dynamic translation to 208.39.161.66. Can you please advise if you have clear the translation after making changes to the static NAT statement? If you haven't, try to clear: clear local 172.16.1.35

Is the connection outbound or inbound?

The syslog messages look OK. It gets tear down because it didn't seem to get any replies back.

0 Helpful

dancumming
Level 1
Level 1
In response to Jennifer Halim

‎03-23-2011 05:13 AM

Ricoh accepting all public IP addresses.  I apologize, I made a typo in my original post.  The IP address of the Ricoh appliance is 172.16.1.135.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to dancumming

‎03-23-2011 05:44 AM

OK, then it is correct.

Doesn't seem to be your ASA configuration issue.

I can't access the site too, so seems like Ricoh's issue.

0 Helpful

eisenberg
Level 1
Level 1

‎04-03-2018 12:52 PM

You will want to remove the post containing your un-scrubbed config that contains your Internet IPs as well as your enable password

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card