10-12-2005 01:01 PM - edited 03-09-2019 12:42 PM
I have an ASA5510, and I can terminal server from the inside to outside sites all over the internet. However, there is one site that I am having a problem with. I cannot terminal server to that specific site while behind the ASA5510. When I put my pc outside of the firewall and try it, everything goes well, and I can terminal server to it. I put the same pc behind my ASA, and it does not work. I check the terminal server logs, and it shows that the initial connection is made, but then it goes no further. I know traffic is actually getting to the terminal server, but after that, it does not appear that the ASA lets the return traffic back in or something. Here is my relevant config:
ASA Version 7.0(1)
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 64.20.30.130 255.255.255.192
!
interface Ethernet0/2
description internal
speed 100
duplex full
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
enable password XXXXX encrypted
passwd XCXXXX encrypted
hostname businessASA5510
domain-name business.com
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list icmp1 extended permit icmp any any
access-list outside_in extended permit tcp any host nspub eq domain
access-list outside_in extended permit udp any host nspub eq domain
access-list outside_in extended permit tcp any host 64.20.30.131 eq smtp
access-list outside_in extended permit tcp any host 64.20.30.131 eq https
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any source-quench
access-list outside_in extended permit icmp any any unreachable
access-list outside_in extended permit icmp any any time-exceeded
mtu outside 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
monitor-interface outside
monitor-interface DMZ
monitor-interface Inside
monitor-interface management
asdm image disk0:/asdm-501.bin
no asdm history enable
arp timeout 14400
global (outside) 1 64.20.30.150-64.20.30.179
global (outside) 1 64.20.30.180
global (DMZ) 1 64.20.30.181
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,outside) tcp 64.20.30.131 smtp businessmail smtp netmask 255.255.255.255
static (Inside,outside) tcp 64.20.30.131 https businessmail https netmask 255.255.255.255
static (Inside,outside) tcp 64.20.30.131 444 businessmail 444 netmask 255.255.255.255
static (Inside,outside) udp 64.20.30.131 443 businessmail 443 netmask 255.255.255.255
static (Inside,outside) tcp 64.20.30.131 www businessmail www netmask 255.255.255.255
static (Inside,outside) tcp 64.20.30.131 citrix-ica citrix citrix-ica netmask 255.255.255.255
static (DMZ,outside) nspub ns netmask 255.255.255.255
static (Inside,outside) 64.20.30.140 techmail netmask 255.255.255.255
static (Inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Inside,outside) 64.20.30.142 192.168.1.62 netmask 255.255.255.255
static (DMZ,outside) 64.20.30.147 192.168.69.50 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.20.30.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 2000
inspect ftp
inspect pptp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect rtsp
inspect sip
inspect skinny
inspect icmp
inspect icmp error
!
service-policy global_policy global
10-12-2005 05:05 PM
hi,
try collecting some log (debug level if possible) here for the particular sessions.
try disabling fixup protocols.
try to capture traffic on the inside and outside interface and match it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: