asa 5505 "deny src outside" ; I keep knocking but I cant come in !

Discussion in 'Cisco' started by barret bonden, Aug 17, 2008.

  1. The log viewer is showing " Deny tcp src outside ....by access group
    "outside_access_in" , and believe me that was not my intent.
    Tryng to test (pre client deplyment) access to a MS terminal server via
    Remote Desktop Connection
    It's the same sytax as my own old pix - and then I let the ASDM 5.2 write
    it. Still no good.

    (however, it is cool to see it buld dynamic UDP connections and SSL
    handshakes in the log viewer even as the RDP fails )



    : Saved
    :
    ASA Version 7.2(4)
    !
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    access-list outside_access_in extended permit object-group TCPUDP any host
    192.168.0.10 eq 3389
    access-list inside_nat0_outbound extended permit ip any host 192.168.0.160
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool monica 192.168.0.160-192.168.0.170 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface 3389 192.168.0.10 3389 netmask
    255.255.255.255 tcp 10 12 udp 10
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 outside
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address 192.168.0.22-192.168.0.149 inside
    dhcpd enable inside
    !

    group-policy monica internal
    group-policy monica attributes
    vpn-tunnel-protocol IPSec
    username monica password Wl4I2obo2cOmbkKh encrypted privilege 0
    username monica attributes
    vpn-group-policy monica
    username arthur password hbSd69.iUWF6UyYi encrypted privilege 0
    username arthur attributes
    vpn-group-policy monica
    username user1 password C3qsSor2h2LUbmz2 encrypted privilege 0
    username user1 attributes
    vpn-group-policy monica
    username user2 password G1SInyx0A0./Dx3t encrypted privilege 0
    username user2 attributes
    vpn-group-policy monica
    tunnel-group monica type ipsec-ra
    tunnel-group monica general-attributes
    address-pool monica
    default-group-policy monica
    tunnel-group monica ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:0e70e2aa5a33daedcb4092589594b6f4
    : end
    asdm image disk0:/asdm-524.bin
    no asdm history enable
     
    barret bonden, Aug 17, 2008
    #1
    1. Advertising

  2. In article <48a764e4$0$20912$>,
    barret bonden <> wrote:
    > The log viewer is showing " Deny tcp src outside ....by access group
    >"outside_access_in" , and believe me that was not my intent.


    >access-list outside_access_in extended permit object-group TCPUDP any host
    >192.168.0.10 eq 3389


    >access-group outside_access_in in interface outside


    Access lists get processed before NAT gets done. Your outside access
    list needs to reference your internal host by its public IP.

    As you appear to only have a single IP (since you use dhcp), change
    the 'host 192.168.0.10' to 'any'.
     
    Walter Roberson, Aug 17, 2008
    #2
    1. Advertising

  3. Thank you , as always. I play with PIX so infrequently that at each new
    one I'm rusty. I tried to configure the ASA with the ASDM and the Access
    Rules edit feature still seems counter intuitive to me. I solved it just
    prior to reading your note by pasting in "access list outside_in permit tcp
    any interface outside eq 3389" from a prior install. Looks like I was
    running it backward in the ASDM.

    As long as I have you; is there any way to copy a saved config from TFTP
    without it merging ? Just a replacement copy ? On all the Cisco docs I can
    find it looks like it just does a merge -









    "Walter Roberson" <> wrote in message
    news:Vr%pk.91602$nD.71329@pd7urf1no...
    > In article <48a764e4$0$20912$>,
    > barret bonden <> wrote:
    >> The log viewer is showing " Deny tcp src outside ....by access group
    >>"outside_access_in" , and believe me that was not my intent.

    >
    >>access-list outside_access_in extended permit object-group TCPUDP any host
    >>192.168.0.10 eq 3389

    >
    >>access-group outside_access_in in interface outside

    >
    > Access lists get processed before NAT gets done. Your outside access
    > list needs to reference your internal host by its public IP.
    >
    > As you appear to only have a single IP (since you use dhcp), change
    > the 'host 192.168.0.10' to 'any'.
     
    barret bonden, Aug 18, 2008
    #3
  4. In article <48a99cd4$0$20933$>,
    barret bonden <> wrote:
    >"access list outside_in permit tcp any interface outside eq 3389"


    Yes, that is probably a better solution than using 'any' as
    the destination.

    > As long as I have you; is there any way to copy a saved config from TFTP
    >without it merging ? Just a replacement copy ?


    On ASA, use the 'copy' command to copy tftp to the startup-config
    and then reboot.

    Or copy tftp to something in the filesystem and then tell the ASA
    to boot from that file.

    Sorry, I don't have a functional copy-and-paste in this particular
    access mode, but google site:cisco.com asa startup configuration
    and the first hit shows how it is done.
     
    Walter Roberson, Aug 18, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    3,453
  2. DrDan
    Replies:
    3
    Views:
    464
  3. barret bonden

    ASA 5505 : cant ping accross VPN

    barret bonden, Aug 21, 2008, in forum: Cisco
    Replies:
    1
    Views:
    2,308
    barret bonden
    Aug 23, 2008
  4. geek98
    Replies:
    1
    Views:
    5,369
    geek98
    Apr 17, 2010
  5. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    729
    Dogg Child
    Jun 7, 2010
Loading...

Share This Page