1. Home
  2. Cisco Systems
  3. asa 5505 "deny src outside" ; I keep knocking but I cant come in !

asa 5505 "deny src outside" ; I keep knocking but I cant come in !

The log viewer is showing " Deny tcp src outside ....by access group "outside_access_in" , and believe me that was not my intent. Tryng to test (pre client deplyment) access to a MS terminal server via Remote Desktop Connection It's the same sytax as my own old pix - and then I let the ASDM 5.2 write it. Still no good.

(however, it is cool to see it buld dynamic UDP connections and SSL handshakes in the log viewer even as the RDP fails )

: Saved : ASA Version 7.2(4) ! hostname ciscoasa domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list outside_access_in extended permit object-group TCPUDP any host

192.168.0.10 eq 3389 access-list inside_nat0_outbound extended permit ip any host 192.168.0.160 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool monica 192.168.0.160-192.168.0.170 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 3389 192.168.0.10 3389 netmask 255.255.255.255 tcp 10 12 udp 10 access-group outside_access_in in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 outside http 192.168.1.0 255.255.255.0 inside http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.0.22-192.168.0.149 inside dhcpd enable inside !

group-policy monica internal group-policy monica attributes vpn-tunnel-protocol IPSec username monica password Wl4I2obo2cOmbkKh encrypted privilege 0 username monica attributes vpn-group-policy monica username arthur password hbSd69.iUWF6UyYi encrypted privilege 0 username arthur attributes vpn-group-policy monica username user1 password C3qsSor2h2LUbmz2 encrypted privilege 0 username user1 attributes vpn-group-policy monica username user2 password G1SInyx0A0./Dx3t encrypted privilege 0 username user2 attributes vpn-group-policy monica tunnel-group monica type ipsec-ra tunnel-group monica general-attributes address-pool monica default-group-policy monica tunnel-group monica ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:0e70e2aa5a33daedcb4092589594b6f4 : end asdm image disk0:/asdm-524.bin no asdm history enable

Reply to
barret bonden
Loading thread data ...

Access lists get processed before NAT gets done. Your outside access list needs to reference your internal host by its public IP.

As you appear to only have a single IP (since you use dhcp), change the 'host 192.168.0.10' to 'any'.

Reply to
Walter Roberson

Thank you , as always. I play with PIX so infrequently that at each new one I'm rusty. I tried to configure the ASA with the ASDM and the Access Rules edit feature still seems counter intuitive to me. I solved it just prior to reading your note by pasting in "access list outside_in permit tcp any interface outside eq 3389" from a prior install. Looks like I was running it backward in the ASDM.

As long as I have you; is there any way to copy a saved config from TFTP without it merging ? Just a replacement copy ? On all the Cisco docs I can find it looks like it just does a merge -

Reply to
barret bonden

Yes, that is probably a better solution than using 'any' as the destination.

On ASA, use the 'copy' command to copy tftp to the startup-config and then reboot.

Or copy tftp to something in the filesystem and then tell the ASA to boot from that file.

Sorry, I don't have a functional copy-and-paste in this particular access mode, but google site:cisco.com asa startup configuration and the first hit shows how it is done.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.