cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
329
Views
0
Helpful
2
Replies

address failure on ASA5505

dalyWebInc
Level 1
Level 1

Hi,

I have a ASA5505 with a security plus license that has been 'in-production' for some time but I am experiencing a 'lock-out' of a particular IP address in a DMZ with minimal usage.

This IP address is configured with ACL and NAT to allow:

http traffic

ftp traffic

remote desktop traffic

IIS 7 traffic

I have also limited the number of embromic connections to 1500 due to DOS attacks. The issue I experience is that the 'channel' locks up when using remote desktop or IIS 7 services resulting in all traffic being denied to that IP address (channel). All other IP addresses with similar configuration remain working.

Can anyone suggest what the problem may be and how to go about resolving it?

Thanks (in advance) for your help.

April

2 Replies 2

Hi April,

Your issue sounds like it may be caused by an incorrect translation getting built during RDP or IIS conversations.

First, take a look at your 'static', 'nat', and 'global' commands in your configuration to ensure nothing is incorrectly configured for your environment and none of your translations are conflicting.

Also, take a look at the output of the 'show xlate debug' command on the firewall next time the problem occurs. My guess is that you would see an incorrect translation being built that is causing normal traffic to break. In that case, you'll need to find out what part of your configuration is causing that translation to get built.

Hope that helps.

-Mike

Thanks Mike!

today the problem seems ot have fixed itself after some time (although last time it didn't and required a reboot).

Either way I will do as you suggested as I can't have my customers locked out! Thank you very much for your help.

Regards, April

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: