Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
0
Helpful
4
Replies

ASA5510 and Honeywell HRDV RAS

cctnetwork
Level 1
Level 1

‎11-18-2005 11:53 AM - edited ‎03-09-2019 01:05 PM

We have recently implemented an ASA5510 replacing our old PIX520. One of the offices here uses a Honeywell digital video recorder that they remotely access via Honeywell's RAS remote access software. Since putting it the ASA they cannot connect to the HRDV. If I try an outside interface bypassing the ASA, everything works fine. Looking at a packet capture, the app uses port 44442 initially then negotiates other ports. When behind the ASA the port negotiation doesn't happen, it just continues to try the same port. I'm kinda confused because this traffic is initiated from the inside so it should come back through with no problem. Thanks all in advance.

Labels:
0 Helpful
4 Replies 4

nkhawaja
Cisco Employee
Cisco Employee

‎11-19-2005 11:30 AM

after you replaced the pix with ASA, is that also changed the OS on the ASA?

may be a needed fixup is disabled.

thanks

Nadeem

0 Helpful

cctnetwork
Level 1
Level 1
In response to nkhawaja

‎11-21-2005 08:08 AM

I have not updated the OS on the ASA if that is what you mean. Hasn't fixup been replaced by inspection? Here's what the inspection portion of my config looks like:

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

Any help is greatly appreciated.

0 Helpful

cctnetwork
Level 1
Level 1
In response to cctnetwork

‎11-21-2005 10:52 AM

Update:

We are also experiencing an e-mail issue where the clients are getting multiple copies of a message (100+) so as a troubleshooting procedure I put the old PIX520 back in place. I tried the RAS connection and it worked fine. As far as I can see the firewall configs for both appliances look the same as to access lists/conduits etc. Could it be the IDS side of the ASA5510 that is causing the problems? I'm wondering if someone can look at the configs of both my PIX520 and ASA5510 and tell me the differences as far as traffic allowed etc. Thanks all.

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to cctnetwork

‎11-22-2005 12:43 PM

Do you have IDS module in that ASA? Try to disable the esmtp and smtp fixup and see if that makes any difference for email issue. Also for the other issue try to disable the related fixup. are there any logs available?

0 Helpful
Customers Also Viewed These Support Documents