Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2482
Views
0
Helpful
1
Replies

Host inside ASA 5510 configuration problem.

Charlie Taylor
Level 4
Level 4

‎04-19-2011 06:40 AM - last edited on ‎02-21-2020 11:21 PM by Community Manager

We have a Citrix host behind a new 5510 that needs to be accessed by the public. I have tried to follow the examples on cisco.com but still continue to get errors. I KNOW I am missing something simple. I have taken out all my 'tries' and have basic config below with errors.

I am new to PIX/ASA and would live some suggestions on the proper Access Group and corresponding ACL to get the 192.168.71.100/72.54.197.26 Citrix server to accept ssl from outside.


ASA Version 7.0(8)
!
interface Ethernet0/0
description Outside interface to Cbeyond
nameif OUTSIDE
security-level 0
ip address 72.54.197.28 255.255.255.248
!
interface Ethernet0/1
description Inside interface to internal network
nameif INSIDE
security-level 100
ip address 192.168.72.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.71.2 255.255.255.0
management-only
!
object-group service Citrix1494 tcp
port-object eq citrix-ica
port-object eq www
port-object eq https
port-object range 445 447

nat-control

global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (OUTSIDE,INSIDE) 192.168.72.100 72.54.197.26 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 72.54.197.26 192.168.72.100 netmask 255.255.255.255
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100

http server enable
http 192.168.71.0 255.255.255.0 management

class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!

Error Log:
3|Apr 15 2011 21:06:07|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 21:06:01|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 21:05:58|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
5|Apr 15 2011 21:05:42|111008: User 'root' executed the 'no access-list OUTSIDE_access_in extended permit tcp host 72.54.197.26 host 72.54.197.26' command.
4|Apr 15 2011 21:05:20|106023: Deny tcp src OUTSIDE:114.38.58.208/2817 dst INSIDE:72.54.197.26/445 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:05:17|106023: Deny tcp src OUTSIDE:114.38.58.208/2817 dst INSIDE:72.54.197.26/445 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:04:37|106023: Deny tcp src OUTSIDE:221.1.220.185/12200 dst INSIDE:72.54.197.26/1080 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:50|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:44|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:41|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:23|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:17|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:14|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
5|Apr 15 2011 21:01:56|111008: User 'root' executed the 'access-list OUTSIDE_access_in line 1 extended permit tcp host 72.54.197.26 host 72.54.197.26' command.
6|Apr 15 2011 21:00:13|302013: Built outbound TCP connection 7173 for OUTSIDE:150.70.85.65/443 (150.70.85.65/443) to INSIDE:192.168.72.100/2959 (72.54.197.26/2959)
6|Apr 15 2011 20:56:57|302016: Teardown UDP connection 7082 for OUTSIDE:72.54.197.26/137 to INSIDE:192.168.72.17/137 duration 0:02:01 bytes 62
6|Apr 15 2011 20:55:19|302013: Built outbound TCP connection 7088 for OUTSIDE:184.85.253.178/80 (184.85.253.178/80) to INSIDE:192.168.72.100/2879 (72.54.197.26/2879)
6|Apr 15 2011 20:55:19|302013: Built outbound TCP connection 7086 for OUTSIDE:74.125.159.147/80 (74.125.159.147/80) to INSIDE:192.168.72.100/2878 (72.54.197.26/2878)
6|Apr 15 2011 20:54:55|302015: Built outbound UDP connection 7082 for OUTSIDE:72.54.197.26/137 (192.168.72.100/137) to INSIDE:192.168.72.17/137 (72.54.197.28/24)
6|Apr 15 2011 20:54:17|302021: Teardown ICMP connection for faddr 10.160.68.225/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:15|302020: Built outbound ICMP connection for faddr 10.160.68.225/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:13|302021: Teardown ICMP connection for faddr 172.28.16.2/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7074 for OUTSIDE:199.7.52.190/80 (199.7.52.190/80) to INSIDE:192.168.72.100/2815 (72.54.197.26/2815)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7073 for OUTSIDE:199.7.55.72/80 (199.7.55.72/80) to INSIDE:192.168.72.100/2813 (72.54.197.26/2813)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7072 for OUTSIDE:199.7.55.72/80 (199.7.55.72/80) to INSIDE:192.168.72.100/2812 (72.54.197.26/2812)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7071 for OUTSIDE:199.7.52.190/80 (199.7.52.190/80) to INSIDE:192.168.72.100/2811 (72.54.197.26/2811)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7070 for OUTSIDE:184.85.253.19/80 (184.85.253.19/80) to INSIDE:192.168.72.100/2810 (72.54.197.26/2810)
3|Apr 15 2011 20:54:12|106014: Deny inbound icmp src OUTSIDE:172.28.16.2 dst INSIDE:72.54.197.26 (type 0, code 0)
6|Apr 15 2011 20:54:11|302020: Built outbound ICMP connection for faddr 172.28.16.2/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:10|302013: Built outbound TCP connection 7063 for OUTSIDE:64.4.18.90/80 (64.4.18.90/80) to INSIDE:192.168.72.100/2809 (72.54.197.26/2809)
3|Apr 15 2011 20:52:17|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:52:11|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:52:08|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
2|Apr 15 2011 20:50:02|106001: Inbound TCP connection denied from 187.28.118.35/1973 to 72.54.197.26/445 flags SYN  on interface OUTSIDE
2|Apr 15 2011 20:49:59|106001: Inbound TCP connection denied from 187.28.118.35/1973 to 72.54.197.26/445 flags SYN  on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60784 flags RST  on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60783 flags RST  on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60781 flags RST  on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60782 flags RST  on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60779 flags RST  on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60785 flags RST  on interface OUTSIDE
2|Apr 15 2011 20:49:35|106001: Inbound TCP connection denied from 217.10.43.52/1486 to 72.54.197.26/445 flags SYN  on interface OUTSIDE
2|Apr 15 2011 20:49:32|106001: Inbound TCP connection denied from 217.10.43.52/1486 to 72.54.197.26/445 flags SYN  on interface OUTSIDE
3|Apr 15 2011 20:48:17|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:48:11|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:48:08|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443

THANKS!!

0 Helpful
1 Reply 1

varrao
Level 10
Level 10

‎05-06-2011 11:30 PM

Charlie,

First of all the static command doesn't seem correct, you just do not need the destinastion nat, so delete the following command:

static (OUTSIDE,INSIDE) 192.168.72.100 72.54.197.26 netmask 255.255.255.255

Static commands are bi-directional, so you do not need it.

Then make sure you have a route for it on the ASA:

route 192.168.72.0 255.255.255.0

Then:

access-list outside_access extended permit tcp any host 72.54.197.26

and it should work after that.

Let me know how it works.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card