cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
477
Views
0
Helpful
5
Replies

ASA5512 - 'public' server traffic is being dropped

richard.quick1
Level 1
Level 1

Hi, 

I curently have a very simple setup 

ISP Router <---outside---> ASA5512 <---inside---> Host

There is nothing else on the ASA yet.

I have configured the host as a public server in the ASDM application, when I try to access the server via the external IP address I get the following error in the log - 

Inbound TCP connection denied from x.x.x.x/13183 to x.x.x.x/80 flags SYN  on interface outside

I have have searched other forums and documents and the only suggestions are interface security levels, I have set the inside to 50 and the outside to 0. I can not see how changin this could help though.


Thank you in advance of any help.


Richard

1 Accepted Solution

Accepted Solutions

You have an acl allowing the traffic but you haven't applied it to the interface.

You have -

"access-group outside_access in interface outside-virgin"

but it should be -

"access-group outside_access in interface outside"

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Perhaps post the configuration ?

Jon

Hi Jon, 

The configuration is as below, didnt post incase it was an easy fix and save a large post.

Thanks for taking a look

Richard

ASA Version 9.1(2) 

!

hostname firewall-002

domain-name spacedatacentres.co.uk

enable password qtj0RuoLwuInmHYK encrypted

passwd qtj0RuoLwuInmHYK encrypted

names

!

interface GigabitEthernet0/0

 description ISP Circuit

 nameif outside

 security-level 0

 ip address 62.x.x.x 255.255.x.x 

!

interface GigabitEthernet0/1

 description Internal D001 Network

 nameif inside

 security-level 50

 ip address 192.x.x.1 255.255.255.0 

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 management-only

 nameif management

 security-level 100

 ip address x.x.x.x 255.255.255.0 

!

boot system disk0:/asa912-smp-k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup management

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 194.x.x.x

 name-server 194.x.x.x

 domain-name xxxxxxx.co.uk

same-security-traffic permit inter-interface

object network 62.x.x.79

 host 62.255.128.79

object network D-000001

 host 192.x.x.10

 description D-000001 Server

object-group service DM_INLINE_TCP_0 tcp

 port-object eq domain

 port-object eq www

 port-object eq https

access-list outside_access extended permit tcp any4 object D-000001 object-group DM_INLINE_TCP_0 

pager lines 24

logging enable

logging asdm warnings

mtu management 1500

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic any interface

!

object network D-000001

 nat (inside,outside) static 62.x.x.79

access-group outside_access in interface outside-virgin

route outside 0.0.0.0 0.0.0.0 62.x.x.65 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http x.x.x.x 255.255.255.0 management

snmp-server host management 192.168.1.30 community *****

snmp-server location xxxxxxxx

snmp-server contact xxxxxxx

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet 192.x.x.x 255.255.255.0 management

telnet timeout 5

ssh 192.x.x.x 255.255.255.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

username xxxxxx password xxxx encrypted privilege 15

username xxxxxx password xxxx encrypted privilege 15

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect ip-options 

  inspect icmp 

  inspect icmp error 

!

service-policy global_policy global

prompt hostname context 

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly 1

  subscribe-to-alert-group configuration periodic monthly 1

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:a52446ba0500580f8d3cb5c569d2006a

: end

You have an acl allowing the traffic but you haven't applied it to the interface.

You have -

"access-group outside_access in interface outside-virgin"

but it should be -

"access-group outside_access in interface outside"

Jon

Hi Jon, 

Thats perfect, thank you. Obviously a typo when tidying up the config.

Thank you again.

Richard

No problem.

Jon

Review Cisco Networking for a $25 gift card