Weird issue with ASA5510

joneschw1 · ‎10-12-2005

I have an ASA5510, and I can terminal server from the inside to outside sites all over the internet. However, there is one site that I am having a problem with. I cannot terminal server to that specific site while behind the ASA5510. When I put my pc outside of the firewall and try it, everything goes well, and I can terminal server to it. I put the same pc behind my ASA, and it does not work. I check the terminal server logs, and it shows that the initial connection is made, but then it goes no further. I know traffic is actually getting to the terminal server, but after that, it does not appear that the ASA lets the return traffic back in or something. Here is my relevant config:

ASA Version 7.0(1)

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 64.20.30.130 255.255.255.192

!

interface Ethernet0/2

description internal

speed 100

duplex full

nameif Inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

enable password XXXXX encrypted

passwd XCXXXX encrypted

hostname businessASA5510

domain-name business.com

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list icmp1 extended permit icmp any any

access-list outside_in extended permit tcp any host nspub eq domain

access-list outside_in extended permit udp any host nspub eq domain

access-list outside_in extended permit tcp any host 64.20.30.131 eq smtp

access-list outside_in extended permit tcp any host 64.20.30.131 eq https

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended permit icmp any any source-quench

access-list outside_in extended permit icmp any any unreachable

access-list outside_in extended permit icmp any any time-exceeded

mtu outside 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

monitor-interface outside

monitor-interface DMZ

monitor-interface Inside

monitor-interface management

asdm image disk0:/asdm-501.bin

no asdm history enable

arp timeout 14400

global (outside) 1 64.20.30.150-64.20.30.179

global (outside) 1 64.20.30.180

global (DMZ) 1 64.20.30.181

nat (Inside) 1 0.0.0.0 0.0.0.0

static (Inside,outside) tcp 64.20.30.131 smtp businessmail smtp netmask 255.255.255.255

static (Inside,outside) tcp 64.20.30.131 https businessmail https netmask 255.255.255.255

static (Inside,outside) tcp 64.20.30.131 444 businessmail 444 netmask 255.255.255.255

static (Inside,outside) udp 64.20.30.131 443 businessmail 443 netmask 255.255.255.255

static (Inside,outside) tcp 64.20.30.131 www businessmail www netmask 255.255.255.255

static (Inside,outside) tcp 64.20.30.131 citrix-ica citrix citrix-ica netmask 255.255.255.255

static (DMZ,outside) nspub ns netmask 255.255.255.255

static (Inside,outside) 64.20.30.140 techmail netmask 255.255.255.255

static (Inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (Inside,outside) 64.20.30.142 192.168.1.62 netmask 255.255.255.255

static (DMZ,outside) 64.20.30.147 192.168.69.50 netmask 255.255.255.255

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.20.30.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 2000

inspect ftp

inspect pptp

inspect h323 h225

inspect h323 ras

inspect http

inspect ils

inspect rtsp

inspect sip

inspect skinny

inspect icmp

inspect icmp error

!

service-policy global_policy global

nkhawaja · ‎10-12-2005

hi,

try collecting some log (debug level if possible) here for the particular sessions.

try disabling fixup protocols.

try to capture traffic on the inside and outside interface and match it.