I have a problem with an ASA 5510 allowing traffic in connecting to a PAT'd address. I have RDP setup on a server in the DMZ, and I am using PAT to translate from 3389 on the DMZ to 33890 on the OUTSIDE interface. I have added the inbound ACL like I normally do in a PIX, setup my Static statement but no go. I get these errors in the log;
Dec 14 2006 16:30:16: %ASA-7-710005: TCP request discarded from 4.4.4.4/42977 to outside:1.1.1.1/33890
Dec 14 2006 16:30:19: %ASA-7-710005: TCP request discarded from 4.4.4.4/42977 to outside:1.1.1.1/33890
4.4.4.4 is the address I'm coming from, 1.1.1.1 is the interface address on the ASA.
Here is the config to go along with this.
ASA Version 7.2(2)
!
hostname FSB-ASA
domain-name domain.dom
enable password <removed> encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.198.254.254 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.198.253.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.198.1.9 255.255.255.0
management-only
!
passwd <removed> encrypted
banner motd *** Notice ***
banner motd Unauthorized Access Prohibited
banner motd This is a private computer facility protected by a security
banner motd system. Access to and use thereof requires explicit, current
banner motd authorization and is limited to purposes of the organization's
banner motd business. Unauthorized access or attempts to use, alter,
banner motd destroy or damage data, programs or equipment may violate
banner motd applicable law and could result in criminal prosecution,
banner motd civil liability or both.
banner motd
banner motd
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name fsbdomain.dom
same-security-traffic permit intra-interface
access-list out_in remark ******************************************
access-list out_in remark Deny and log spoofed packets
access-list out_in extended deny ip 1.1.1.1 255.255.255.248 any log
access-list out_in remark ******************************************
access-list out_in remark ******************************************
access-list out_in remark Deny and log packets from invalid addresses
access-list out_in extended deny ip 10.0.0.0 255.0.0.0 any log
access-list out_in extended deny ip 172.16.0.0 255.240.0.0 any log
access-list out_in extended deny ip 192.168.0.0 255.255.0.0 any log
access-list out_in extended deny ip 127.0.0.0 255.0.0.0 any log
access-list out_in extended deny ip 224.0.0.0 255.255.0.0 any log
access-list out_in extended deny ip host 0.0.0.0 any log
access-list out_in remark ******************************************
access-list out_in remark ******************************************
access-list out_in remark Permit ICMP except redirect and timestamp
access-list out_in extended deny icmp any any redirect log
access-list out_in extended deny icmp any any timestamp-request log
access-list out_in extended permit icmp any any echo-reply
access-list out_in extended permit icmp any any time-exceeded
access-list out_in extended permit icmp any any unreachable
access-list out_in extended permit icmp any host 1.1.1.1
access-list out_in remark ******************************************
access-list out_in remark ******************************************
access-list out_in remark Permit Internet to access Mail
access-list out_in extended permit tcp any host 1.1.1.1 eq smtp
access-list out_in remark ******************************************
access-list out_in remark ******************************************
access-list out_in remark Permit Company to SSH to router
access-list out_in extended permit tcp host 3.3.3.3 host 1.1.1.1 eq ssh
access-list out_in extended permit tcp host 4.4.4.4 host 1.1.1.1 eq ssh
access-list out_in extended permit tcp host 4.4.4.4 host 1.1.1.1 eq 33890
access-list out_in extended permit tcp host 4.4.4.4 host 1.1.1.1 eq www
access-list out_in remark ******************************************
access-list out_in remark ******************************************
access-list out_in remark Permit Company to PPTP to ISA Server
access-list out_in extended permit esp host 3.3.3.3 host 2.2.2.2
access-list out_in extended permit udp host 3.3.3.3 host 2.2.2.2 eq isakmp
access-list out_in extended permit esp host 4.4.4.4 host 2.2.2.2
access-list out_in extended permit udp host 4.4.4.4 host 2.2.2.2 eq isakmp
access-list out_in remark ******************************************
access-list out_in remark ******************************************
access-list out_in remark Deny all other traffic
access-list out_in extended deny udp any range 1 65535 any range 1 65535 log
access-list out_in extended deny tcp any range 1 65535 any range 1 65535 log
access-list out_in extended deny ip any any log
access-list out_in remark ******************************************
access-list dmz_in remark ******************************************
access-list dmz_in remark Permit Mail Gateway to Relay MAIL to Exchange
access-list dmz_in extended permit ip 10.198.253.0 255.255.255.0 any
access-list dmz_in remark ******************************************
access-list dmz_in remark ******************************************
access-list dmz_in remark Deny all other traffic
access-list dmz_in extended deny udp any range 1 65535 any range 1 65535 log
access-list dmz_in extended deny tcp any range 1 65535 any range 1 65535 log
access-list dmz_in extended deny ip any any log
access-list dmz_in remark ******************************************
access-list test_splitTunnelAcl standard permit 10.198.253.0 255.255.255.0
access-list test_splitTunnelAcl standard permit 10.198.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.198.253.0 255.255.255.0 10.198.252.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.198.254.0 255.255.255.0 10.198.252.0 255.255.255.240
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging history debugging
logging asdm informational
logging facility 16
logging host management 10.198.1.196
logging permit-hostdown
mtu outside 1428
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool test 10.198.252.1-10.198.252.10 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (outside) 1 10.198.252.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.198.254.0 255.255.255.0
nat (dmz) 1 10.198.253.0 255.255.255.0
static (dmz,outside) tcp 1.1.1.1 smtp 10.198.253.10 smtp netmask 255.255.255.255 tcp 0 512
static (inside,dmz) tcp 10.198.253.11 smtp 10.198.254.11 smtp netmask 255.255.255.255 tcp 0 512
static (dmz,outside) tcp 1.1.1.1 33890 10.198.253.10 3389 netmask 255.255.255.255
static (inside,outside) 2.2.2.2 10.198.254.11 netmask 255.255.255.255 tcp 0 512
access-group out_in in interface outside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 12.25.112.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy test internal
group-policy test attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test_splitTunnelAcl
group-policy clientgroup internal
group-policy clientgroup attributes
vpn-idle-timeout 20
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
username Companytech password <removed> encrypted
aaa authentication ssh console LOCAL
http server enable
http 4.4.4.4 255.255.255.255 outside
http 10.198.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
address-pool test
default-group-policy test
tunnel-group test ipsec-attributes
pre-shared-key *
tunnel-group rtptacvpn type ipsec-ra
tunnel-group rtptacvpn general-attributes
address-pool test
authorization-server-group LOCAL
default-group-policy clientgroup
tunnel-group rtptacvpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 4.4.4.4 255.255.255.255 outside
ssh 3.3.3.3 255.255.255.255 outside
ssh 10.198.1.0 255.255.255.0 management
ssh timeout 5
ssh version 2
console timeout 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect esmtp
inspect http
inspect dns
inspect ftp
!
service-policy global_policy global
ntp server 129.6.15.28 source outside prefer
prompt hostname context
Cryptochecksum:f76496682b2d17c81070c937f7ae8ecc
: end
Any guidance would be appreciated!
Thanks,
Erich
Dec 14 2006 16:30:16: %ASA-7-710005: TCP request discarded from 4.4.4.4/42977 to outside:1.1.1.1/33890
Dec 14 2006 16:30:19: %ASA-7-710005: TCP request discarded from 4.4.4.4/42977 to outside:1.1.1.1/33890
4.4.4.4 is the address I'm coming from, 1.1.1.1 is the interface address on the ASA.
Here is the config to go along with this.
ASA Version 7.2(2)
!
hostname FSB-ASA
domain-name domain.dom
enable password <removed> encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.198.254.254 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.198.253.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.198.1.9 255.255.255.0
management-only
!
passwd <removed> encrypted
banner motd *** Notice ***
banner motd Unauthorized Access Prohibited
banner motd This is a private computer facility protected by a security
banner motd system. Access to and use thereof requires explicit, current
banner motd authorization and is limited to purposes of the organization's
banner motd business. Unauthorized access or attempts to use, alter,
banner motd destroy or damage data, programs or equipment may violate
banner motd applicable law and could result in criminal prosecution,
banner motd civil liability or both.
banner motd
banner motd
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name fsbdomain.dom
same-security-traffic permit intra-interface
access-list out_in remark ******************************************
access-list out_in remark Deny and log spoofed packets
access-list out_in extended deny ip 1.1.1.1 255.255.255.248 any log
access-list out_in remark ******************************************
access-list out_in remark ******************************************
access-list out_in remark Deny and log packets from invalid addresses
access-list out_in extended deny ip 10.0.0.0 255.0.0.0 any log
access-list out_in extended deny ip 172.16.0.0 255.240.0.0 any log
access-list out_in extended deny ip 192.168.0.0 255.255.0.0 any log
access-list out_in extended deny ip 127.0.0.0 255.0.0.0 any log
access-list out_in extended deny ip 224.0.0.0 255.255.0.0 any log
access-list out_in extended deny ip host 0.0.0.0 any log
access-list out_in remark ******************************************
access-list out_in remark ******************************************
access-list out_in remark Permit ICMP except redirect and timestamp
access-list out_in extended deny icmp any any redirect log
access-list out_in extended deny icmp any any timestamp-request log
access-list out_in extended permit icmp any any echo-reply
access-list out_in extended permit icmp any any time-exceeded
access-list out_in extended permit icmp any any unreachable
access-list out_in extended permit icmp any host 1.1.1.1
access-list out_in remark ******************************************
access-list out_in remark ******************************************
access-list out_in remark Permit Internet to access Mail
access-list out_in extended permit tcp any host 1.1.1.1 eq smtp
access-list out_in remark ******************************************
access-list out_in remark ******************************************
access-list out_in remark Permit Company to SSH to router
access-list out_in extended permit tcp host 3.3.3.3 host 1.1.1.1 eq ssh
access-list out_in extended permit tcp host 4.4.4.4 host 1.1.1.1 eq ssh
access-list out_in extended permit tcp host 4.4.4.4 host 1.1.1.1 eq 33890
access-list out_in extended permit tcp host 4.4.4.4 host 1.1.1.1 eq www
access-list out_in remark ******************************************
access-list out_in remark ******************************************
access-list out_in remark Permit Company to PPTP to ISA Server
access-list out_in extended permit esp host 3.3.3.3 host 2.2.2.2
access-list out_in extended permit udp host 3.3.3.3 host 2.2.2.2 eq isakmp
access-list out_in extended permit esp host 4.4.4.4 host 2.2.2.2
access-list out_in extended permit udp host 4.4.4.4 host 2.2.2.2 eq isakmp
access-list out_in remark ******************************************
access-list out_in remark ******************************************
access-list out_in remark Deny all other traffic
access-list out_in extended deny udp any range 1 65535 any range 1 65535 log
access-list out_in extended deny tcp any range 1 65535 any range 1 65535 log
access-list out_in extended deny ip any any log
access-list out_in remark ******************************************
access-list dmz_in remark ******************************************
access-list dmz_in remark Permit Mail Gateway to Relay MAIL to Exchange
access-list dmz_in extended permit ip 10.198.253.0 255.255.255.0 any
access-list dmz_in remark ******************************************
access-list dmz_in remark ******************************************
access-list dmz_in remark Deny all other traffic
access-list dmz_in extended deny udp any range 1 65535 any range 1 65535 log
access-list dmz_in extended deny tcp any range 1 65535 any range 1 65535 log
access-list dmz_in extended deny ip any any log
access-list dmz_in remark ******************************************
access-list test_splitTunnelAcl standard permit 10.198.253.0 255.255.255.0
access-list test_splitTunnelAcl standard permit 10.198.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.198.253.0 255.255.255.0 10.198.252.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.198.254.0 255.255.255.0 10.198.252.0 255.255.255.240
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging history debugging
logging asdm informational
logging facility 16
logging host management 10.198.1.196
logging permit-hostdown
mtu outside 1428
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool test 10.198.252.1-10.198.252.10 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (outside) 1 10.198.252.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.198.254.0 255.255.255.0
nat (dmz) 1 10.198.253.0 255.255.255.0
static (dmz,outside) tcp 1.1.1.1 smtp 10.198.253.10 smtp netmask 255.255.255.255 tcp 0 512
static (inside,dmz) tcp 10.198.253.11 smtp 10.198.254.11 smtp netmask 255.255.255.255 tcp 0 512
static (dmz,outside) tcp 1.1.1.1 33890 10.198.253.10 3389 netmask 255.255.255.255
static (inside,outside) 2.2.2.2 10.198.254.11 netmask 255.255.255.255 tcp 0 512
access-group out_in in interface outside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 12.25.112.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy test internal
group-policy test attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test_splitTunnelAcl
group-policy clientgroup internal
group-policy clientgroup attributes
vpn-idle-timeout 20
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
username Companytech password <removed> encrypted
aaa authentication ssh console LOCAL
http server enable
http 4.4.4.4 255.255.255.255 outside
http 10.198.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
address-pool test
default-group-policy test
tunnel-group test ipsec-attributes
pre-shared-key *
tunnel-group rtptacvpn type ipsec-ra
tunnel-group rtptacvpn general-attributes
address-pool test
authorization-server-group LOCAL
default-group-policy clientgroup
tunnel-group rtptacvpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 4.4.4.4 255.255.255.255 outside
ssh 3.3.3.3 255.255.255.255 outside
ssh 10.198.1.0 255.255.255.0 management
ssh timeout 5
ssh version 2
console timeout 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect esmtp
inspect http
inspect dns
inspect ftp
!
service-policy global_policy global
ntp server 129.6.15.28 source outside prefer
prompt hostname context
Cryptochecksum:f76496682b2d17c81070c937f7ae8ecc
: end
Any guidance would be appreciated!
Thanks,
Erich