07-23-2009 06:42 AM - edited 03-11-2019 08:58 AM
Hi,
I have a ASA5505 with a security plus license that has been 'in-production' for some time but I am experiencing a 'lock-out' of a particular IP address in a DMZ with minimal usage.
This IP address is configured with ACL and NAT to allow:
http traffic
ftp traffic
remote desktop traffic
IIS 7 traffic
I have also limited the number of embromic connections to 1500 due to DOS attacks. The issue I experience is that the 'channel' locks up when using remote desktop or IIS 7 services resulting in all traffic being denied to that IP address (channel). All other IP addresses with similar configuration remain working.
Can anyone suggest what the problem may be and how to go about resolving it?
Thanks (in advance) for your help.
April
07-23-2009 07:25 AM
Hi April,
Your issue sounds like it may be caused by an incorrect translation getting built during RDP or IIS conversations.
First, take a look at your 'static', 'nat', and 'global' commands in your configuration to ensure nothing is incorrectly configured for your environment and none of your translations are conflicting.
Also, take a look at the output of the 'show xlate debug' command on the firewall next time the problem occurs. My guess is that you would see an incorrect translation being built that is causing normal traffic to break. In that case, you'll need to find out what part of your configuration is causing that translation to get built.
Hope that helps.
-Mike
07-23-2009 07:32 AM
Thanks Mike!
today the problem seems ot have fixed itself after some time (although last time it didn't and required a reboot).
Either way I will do as you suggested as I can't have my customers locked out! Thank you very much for your help.
Regards, April
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: