Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
0
Helpful
5
Replies

Denying traffic

hadisharifi
Level 1
Level 1

‎03-15-2011 06:12 PM - edited ‎03-11-2019 01:07 PM

Hi, I am new to ASA specially 8.3. I have configured static NAT with port translation as per the following: The traffic flow is from outside to DMZ on port 3389.

Object network Terminal-Server

host 10.0.22.51

Object network Streamer

host 10.0.22.50

Object network Terminal-Server

nat (DMZ,outside) static 192.168.1.1 service tcp 3389 3389

Object network Streamer

nat (DMZ,outside) static 192.168.1.1 service tcp www www

access-list outside_access_in extended permit tcp any object Terminal-Server eq 3389

access-list outside_access_in extended permit tcp any object Streamer eq www

When tryign to RDP to 192.168.1.1 on port 3389 the log on the ASA says:

Inbound TCP connection denied from x.x.x.x/52413 to 192.168.1.1/3389 flag SYN on interface outside

Can someone please point what I am doing wrong?

Thanks

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎03-15-2011 06:20 PM

Can you confirm if your access-list is applied to the outside interface:

access-group outside_access_in in interface outside

Also, is 192.168.1.1 a spare ip address in the same subnet as the outside interface?

0 Helpful

hadisharifi
Level 1
Level 1
In response to Jennifer Halim

‎03-15-2011 06:37 PM

Thanks for the reply Jennifer,

I can confirm that it's.

ASA# sh run access-group
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside

The 192.168.1.1 is part of a subnet that is routed to the firewall and not used anywhere else but it's not in the same subnet as the outside interface. The outside interface is 192.168.1.248.0/29.

I have also configured Clientless SSL VPN on this ASA and it stopped authenticating users when trying to loing. I had to reboot it and it is fixed now, so not sure why that happened.

Thanks

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to hadisharifi

‎03-15-2011 06:47 PM

Might need to see the complete ACL to see why it's being denied.

Do you happen to have any "deny" statement above the specific "permit" that might be denying the traffic?

0 Helpful

hadisharifi
Level 1
Level 1
In response to Jennifer Halim

‎03-15-2011 07:53 PM

Thanks for your help, my bad as I had a nat pool with the IP address used for static NAT. I have removed this nad everyting is working fine.

However Clinetless SSL VPN is not authenticating users after a while when they are logged in, it simply says login failed and reprompts for username and password. The same username and password can be used to telnet to ASA and it works fine. Last time I rebooted the ASA which fixed the problem but I can't do this everytime this happens.

Do you know what could be causing this?

Thanks

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to hadisharifi

‎03-15-2011 09:59 PM

How many SSL VPN license do you have?

Have you exhausted the number of concurrent SSL VPN connections?

Can you share a copy of "show version" and also the output of "sh vpn-sessiondb summary"

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card