address failure on ASA5505

Unanswered Question
Jul 23rd, 2009
User Badges:


I have a ASA5505 with a security plus license that has been 'in-production' for some time but I am experiencing a 'lock-out' of a particular IP address in a DMZ with minimal usage.

This IP address is configured with ACL and NAT to allow:

http traffic

ftp traffic

remote desktop traffic

IIS 7 traffic

I have also limited the number of embromic connections to 1500 due to DOS attacks. The issue I experience is that the 'channel' locks up when using remote desktop or IIS 7 services resulting in all traffic being denied to that IP address (channel). All other IP addresses with similar configuration remain working.

Can anyone suggest what the problem may be and how to go about resolving it?

Thanks (in advance) for your help.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
robertson.michael Thu, 07/23/2009 - 07:25
User Badges:
  • Silver, 250 points or more

Hi April,

Your issue sounds like it may be caused by an incorrect translation getting built during RDP or IIS conversations.

First, take a look at your 'static', 'nat', and 'global' commands in your configuration to ensure nothing is incorrectly configured for your environment and none of your translations are conflicting.

Also, take a look at the output of the 'show xlate debug' command on the firewall next time the problem occurs. My guess is that you would see an incorrect translation being built that is causing normal traffic to break. In that case, you'll need to find out what part of your configuration is causing that translation to get built.

Hope that helps.


dalyWebInc Thu, 07/23/2009 - 07:32
User Badges:

Thanks Mike!

today the problem seems ot have fixed itself after some time (although last time it didn't and required a reboot).

Either way I will do as you suggested as I can't have my customers locked out! Thank you very much for your help.

Regards, April


This Discussion