Configure an FTP server behind ASA 5505, need some sort of port forwarding

My company uses a Cisco ASA 5505 Adaptive Security Appliance, and I'm trying to set up an SFTP server which is accessible from the Internet.

Is it possible to simply configure port forwarding to my FTP port (4610) to the IP with the server, as I would on a simple Linksys router? Or I have to put in place a sort of demilitarized zone?

Any help would be greatly appreciated.

No, you do not necessarily have a demilitarized zone, inside works perfectly. I guess you want to use the ip address of the external interface of the ASA for this? If so, it would looks something like this. Where x.x.x.x is the ip address of the inside/private of the ftp server.

public static 4610 4610 netmask 255.255.255.255 x.x.x.x interface tcp (indoor, outdoor)

outside_access_in list extended access permit tcp any interface outside eq 4610

Access-group outside_access_in in interface outside

Tags: Cisco Security

Similar Questions

How to configure a FTP server and the web and integrate with 5.2 DMM

Hi all...

I need to set up an external server only for publishing content to reduce the overhead of the DMM server.

can someone guide me on how to configure the external server and it intergrate with the DMM 5.2

Thank you

semuthu,

Notes from the Release Notes:

Limitations of compatibility with Microsoft Internet Information Server (IIS)

DMP who use firmware version 5.2 is compatible with a single version of Microsoft Internet Information Server.

This supported version is IIS 6.0 for Windows 2003 Enterprise Edition. If you do not have the support for IIS version but

want your DMP to recover the assets of a Web server, we recommend that you use Apache instead of IIS.

I suggest to use Apache instead of IIS for the Web Server service. IIS can be used as FTP if necessary.

There are a lot of Documents on the Internet concerning the implementation of Apache and FTP servers.

Using Apache with Microsoft Windows

http://httpd.Apache.org/docs/2.0/platform/Windows.html

Quick HOWTO: Ch20: Apache Web Server

_ http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO: _Ch20_:_The_Apache_Web_Server

Once the Web server is configured and operational. You simply record your multimedia content on the Web server

and then have your DMS assets in the library using an external URL address for its location.

If you want to use the external server for other features in the DMM, you can see how to set up

here:

http://www.Cisco.com/en/us/partner/docs/video/digital_media_systems/5_x/5_1/DMM/user/guide/DSM+ETV.html#wp1073210

Goto the section just below the CNSC & WAAS...

If this answers your question, take the time to mark this

discussion answered & rate the answer.

Thank you!

T.

Configure the FTP server using the command line

After IIS FTP server on Vista (or XP) starts the "default FTP Site" has only "read permissions".
How can I set the FTP server to the CONTROL LINE HELP, to allow 'write' also.

I believe that access is denied is possible if,
the law is already assigned has.)
you do not have administrator rights (b.)

Anyway, you can avoid the prompt (Y/N) by the presence of echo on the batch file
echo y | Cacls filename /g username :permission

Refer to Microsoft KB on How to Use CACLS.EXE in a Batch File .

-----------------------------------------------------
Remember to Vote as helpful for others and accept the the proposed Answer if it is relevant to build KB in this Forum.

Need help with the port forwarding for a XBox remote Streaming

I have a router R6200v2 and need help with port forwarding.

I came across this set of instructions for setting up stream port forwarding XBox remotely from anywhere

http://kinkeadtech.com/2015/07/how-to-stream-Xbox-one-to-Windows-10-from-anywhere-with-Internet/

I have no idea when it comes to such things and I want to make sure I do it correctly without messing up my existing home network.

Port Forwarding and triggering Port pages setup look very different from what the guy uses. Can someone walk me through what I do to set up please?

Hi @varxtis,

You must enter them in the field for a start external Port and external completion Port. You will need to send individually except for the range of 49000-65000. The steps are as follows.

1. create a Service name (it could be something else that you cannot use the same service name twice. Ex. XBOX1, XBOX2 and so forth.)

2. Select the type of service (TCP, UDP or both)

3 entry 5050 times a start external Port and external endpoints.

4. Select the IP address of your XBOX.

5. Select apply.

6 do the same for other port numbers. To the beach, use 49000 for the external departure Port and for the external completion Port 65000.

Kind regards

Dexter

The community team

Realtek AC97 Audio Driver works on my map its microsoft? (under vista and need some sort of broad legalization of real-time system)

Vista and the need for a kind of wide equalization system in real time for audio... and this driver seems to provide what I need... but will it work on my microsoft Driver card hd audio? If it is not possible, then what program could I use for an equalizer?

Hello

What is the model number of your sound card?

The drivers are specific to a device. RealTek drivers don't work for its Microsoft Map, you must install the correct driver for your device package works very well.

For more information about the driver, see the links below

Updated a hardware driver that is not working properly

http://Windows.Microsoft.com/en-us/Windows-Vista/update-a-driver-for-hardware-that-isn ' t-work correctly

Update drivers: recommended links
http://Windows.Microsoft.com/en-us/Windows-Vista/update-drivers-recommended-links

Equalizer you can see link below, also look on the internet for software that can help you in this task.

Change bass, stereo, and other audio effects in Windows Media Player

http://Windows.Microsoft.com/en-us/Windows-Vista/change-bass-stereo-and-other-audio-effects-in-Windows-Media-Player

Note: Using third-party software, including hardware drivers can cause serious problems that may prevent your computer from starting properly. Microsoft cannot guarantee that problems resulting from the use of third-party software can be solved. Software using third party is at your own risk.

Ipsec/ipad ASA 5505 configuration

Hey had a few problems when configuring IPSEC/VPN on the asa 5505. I want to connect from the ipad with built in IPSec client...

Get these errors when I run the debug crypto isakmp

Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, username = Haq, IP = x.x.x.x, Tunnel rejected: conflicting protocols specified by tunnel-group and political group

Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, username = Haq, IP = x.x.x.x, fault QM WSF (P2 struct & 0xd5d5f3d8, mess id 0x295bc3a).

Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, username is Haq, IP = x.x.x.x, withdrawal homologous of correlator table failed, no match!

There are a lot of site-to-site vpn and ipsec vpn profiles configuration and these works very well... ?

Here is the config running sh run crypto:

Crypto ipsec transform-set of des-esp esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac 3DES-TRANS

mode crypto ipsec transform-set 3DES-TRANS transport

Crypto ipsec transform-set AES aes - esp esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-md5-hmac 3des

Crypto ipsec transform-set esp-3des esp-sha-hmac IPAD-IPSEC

Crypto ipsec transform-set IPAD IPSEC transport mode

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic Plandent 10 set transform-set ESP-AES-128-SHA ESP-AES-256-SHA ESP-AES-128-MD5 ESP-AES-256-MD5 OF THE 3des 3DES-TRANS

Crypto dynamic-map Plandent 10 the duration value of security-association seconds 84600

cryptographic kilobytes 300000 of life of the set - the security of Plandent 10 of the dynamic-map association

set of 5 IPAD-card dynamic-map crypto IPAD-IPSEC transform-set

Crypto 5 IPAD-card dynamic-plan the duration value of security-association seconds 28800

cryptographic kilobytes 4608000 life of the set - the association of security of the IPAD-card dynamic-map 5

card crypto PD_VPN 10 corresponds to the address ToGoteborg

card crypto PD_VPN 10 set peer PixGoteborg

card crypto PD_VPN 10 the transform-set value OF

card crypto PD_VPN set 10 security-association life seconds 84600

card crypto PD_VPN 10 set security-association kilobytes of life 4608000

card crypto PD_VPN 20 corresponds to the address ToMalmo

card crypto PD_VPN 20 set peer PixMalmo

card crypto PD_VPN 20 the transform-set value OF

card crypto PD_VPN 20 defined security-association life seconds 84600

card crypto PD_VPN 20 set security-association kilobytes of life 4608000

card crypto PD_VPN 30 corresponds to the address ToPlanmeca

PD_VPN 30 value crypto map peer ASA_HKI ASA_HKI_BACKUP

PD_VPN 30 value transform-set AES crypto card

card crypto PD_VPN 30 defined security-association life seconds 86400

card crypto PD_VPN 30 set security-association kilobytes of life 4608000

card crypto PD_VPN 100-isakmp dynamic ipsec Plandent

PD_VPN interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 10

preshared authentication

aes encryption

sha hash

Group 2

lifetime 28800

crypto ISAKMP policy 30

preshared authentication

the Encryption

md5 hash

Group 2

life 86400

Anyone have tips and tricks on what may be the problem here, will be really appreciated

Thank you

Shane

Karsten, Shane,

Honestly thos MAY be from miconfig TG/GP, but I would check the full debugging of:

------

debugging cry isakmp 127

Debug aaa 100 Commons

-------

The reason for being quite a few questions, we saw some time where users were pushing class or group-AAA lock (which is the substitution of CLI).

M.

Rookie of the ASA 5505 - cannot ping remote site or vice versa

Hi, I am trying configure an ipsec to an ASA 5505 (8.4) for a Sophos UTM (9.2)

Internet, etc. is in place and accessible. IPSec tunnel is also but I can't pass the traffic through it.

I get this message in the logs:

August 5, 2014

22:38:52

81.111.111.156

82.222.222.38

Refuse the Protocol entering 50 CBC outdoor: 81.111.111.156 outside dst: 82.222.222.38

SITE has (ASA 5505) = 82.222.222.38
SITE B (UTM 9) = 81.111.111.156

Pointers would be good because it's the first time I tried this. Thank you.

Running config below:

ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
Description Internet Zen
nameif outside
security-level 0
Customer vpdn group PPPoE Zen
82.222.222.38 255.255.255.255 IP address pppoe setroute
!
boot system Disk0: / asa922 - k8.bin
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
Name-Server 8.8.8.8
network obj_any object
subnet 0.0.0.0 0.0.0.0
the object of MY - LAN network
subnet 192.168.1.0 255.255.255.0
the object of THIER-LAN network
192.168.30.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.30.0_24 object
192.168.30.0 subnet 255.255.255.0
network of the THIER_VPN object
Home 81.111.111.156
THIER VPN description
service of the Sophos_Admin object
Service tcp destination eq 4444
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-protocol esp
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-protocol esp
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-protocol esp
object-group service DM_INLINE_SERVICE_1
ICMP service object
area of service-object udp destination eq
service-object, object Sophos_Admin
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
ESP service object
object-group service DM_INLINE_SERVICE_2
ICMP service object
service-object, object Sophos_Admin
ESP service object
response to echo icmp service object
object-group service DM_INLINE_SERVICE_3
the purpose of the ip service
ESP service object
response to echo icmp service object
object-group service DM_INLINE_SERVICE_4
service-object, object Sophos_Admin
the purpose of the echo icmp message service
response to echo icmp service object
outside_cryptomap list extended access allow object-group DM_INLINE_PROTOCOL_3 MY - LAN LAN THIER object object
outside_cryptomap_1 list extended access allow object-group DM_INLINE_PROTOCOL_2 MY - LAN LAN THIER object object
inside_cryptomap list extended access allow THIER-LAN MY - LAN object object DM_INLINE_PROTOCOL_1 object-group
outside_access_out list extended access allowed object-group DM_INLINE_SERVICE_3 object THIER_VPN host 82.222.222.38
outside_access_out list extended access allow DM_INLINE_SERVICE_1 of object-group a
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 object THIER_VPN host 82.222.222.38
inside_access_out list extended access allow object-group DM_INLINE_SERVICE_4 MY - LAN LAN THIER object object
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 722.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
Access-group interface inside inside_access_out
Access-group outside_access_in in interface outside
Access-group outside_access_out outside interface
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 81.111.111.156
card crypto outside_map 1 set transform-set ESP-AES-128-SHA ikev1
outside_map map 1 set ikev2 proposal ipsec crypto AES
card crypto outside_map 2 match address outside_cryptomap_1
card crypto outside_map 2 set pfs
peer set card crypto outside_map 2 81.111.111.156
card crypto outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 2 set AES AES192 AES256 3DES ipsec-proposal ikev2
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2
FRP sha
second life 7800
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 7800
Telnet timeout 5
SSH enable ibou
SSH stricthostkeycheck
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 30
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
VPDN group Zen request dialout pppoe
VPDN group Zen localname [email protected] / * /
VPDN group Zen ppp authentication chap
VPDN username [email protected] / * / password * local store

dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
enable dynamic filters updater-customer
use of data Dynamics-based filters
smart filters enable external interface
interface of blacklist of decline in dynamic filters outside
WebVPN
AnyConnect essentials
internal GroupPolicy_81.111.111.156 group strategy
attributes of Group Policy GroupPolicy_81.111.111.156
Ikev1 VPN-tunnel-Protocol
JsE9Hv42G/zRUcG4 admin password user name encrypted privilege 15
username bob lTKS32e90Yo5l2L password / encrypted
tunnel-group 81.111.111.156 type ipsec-l2l
tunnel-group 81.111.111.156 General-attributes
Group - default policy - GroupPolicy_81.111.111.156
IPSec-attributes tunnel-group 81.111.111.156
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the dns dynamic-filter-snoop preset_dns_map
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
HPM topN enable
Cryptochecksum:9430c8a44d330d2b55f981274599a67e
: end
ciscoasa #.

Hello

Watching your sh crypto ipsec output... I can see packets are getting wrapped... average packets out of the peer 88.222.222.38 network and I do not see the package back from the site of the UTM 81.111.111.156 at the ASA... This means that the UTM Firewall either don't know the package or not able to get the return package... Exchange of routing is there... but you need to check LAN to another counterpart of site...

Please check the card encryption (it must match on both ends), NAT (exemption should be there @ both ends) and referral to the ends of the LAN...

I suggest you try with the crypto wthout specific port card... say source LAN to LAN with any port destination...

allow cryptomap to access extended list ip

Concerning

Knockaert

Concerning

Knockaert

Remote IPSec VPN - client Windows 7 and ASA 5505

Hello

I'm having trouble with configuring IPSec VPN with Cisco ASA 5505 and Windows 7 client native VPN remotely. My client PC Gets the VPN IP pool address and can access a remote network behind ASA, but then I lose my internet connection. I read that this should be a problem with the split tunneling, but I did as it says here and no luck.

Windows VPN Client settings, if I uncheck "use default gateway on remote network" I have an internet connection (given that the customer is using a local gateway), but then I can't ping remote network.

In the log, I see the warnings of this type:

TCP connection of disassembly 256 for outside:192.168.150.1/49562 to outside:213.199.181.90/80 duration 0: 00:00 0 stream bytes is a loopback (cisco)

I have attached my configuration file (without configuring split tunneling, I tried). If you need additional newspapers, I'll send them right away.

Thank you for your help.

Petar Koraca

That's what you would have needed on versions 8.3 and earlier versions:

permit same-security-traffic intra-interface

Global 1 interface (outside)

NAT (outside) 1 192.168.150.0 255.255.255.0

However I see that you are running 8.4 so I think that all you need is this (I never did on 8.4 so it may not be accurate)

permit same-security-traffic intra-interface

network of the NETWORK_OBJ_192.168.150.0_24 object

dynamic NAT interface (outdoors, outdoor)

Give it a shot and let me know how it goes.

licenses for ASA 5505, site-to-site vpn

Hi, gang,

I've not worked on ASA for a few years, so a little rusty on the issuance of licenses. my client has 5 locations, a few computers at each location. 4 tunnels vpn site-to-site will be implemented, so that 1 Server @ main location of accounting is accessible from other. simple configuration. I wonder if I have to purchase additional licenses? This is the part number of the device that I'm aiming for:

ASA5505-BUN-K9
Cisco ASA 5505 Adaptive Security Appliance 8 ports Fast Ethernet Switch with 10 user licenses

Thank you!

Jonathan

Your license for the VPN is perfectly fine as the Base license supports 10 VPN-peers. The 10 user license is what could restrict more.

And if the 5505 is not yet bought, go directly to the ASA 5506 - X as the 5505 is a legacy device and will probably go little EOS.

PIX 501 to allow access to the ftp server

Hello

We have a public ip address of the pix 501 and the other, I want to access the ftp server on the internal network from the outside. I tried to configure the PDM by a static nat, which translate to the address of the FTP to the public address, but then none of the stations networks could out - how can I configure it?

I would also like to know what ports should I open on the acl for access to the ftp server.

Thank you, daguech

Yes, sorry... You must use the unique host for addresses command. The access list is applied to your external interface?

for example, the command would be:

Access-group acl_out in interface outside

Also, can you connect to the local ftp server behind a firewall?

How to accompany the IDS in ASA 5505 and 5520?

Dear All;

We have the following configuration of HW for the ASA 5505 and ASA 5520, we add the functionality of system of detection of Intrusion (IDS) to the two ASA. My question is: what are the modules required to support this function, and what is the deference between IPS and IDS, fact the same Module both the feature?

Part number:	Description	QTY.
ASA5505-BUN-K9	ASA 5505 appliance with SW 10 users, 8 ports, 3DES/AES	1
CON-SNT-AS5BUNK9	SMARTNET 8X5XNBD ASA5505-BUN-K9	1
SF-ASA5505 - 8.2 - K8	ASA 5505 Series Software v8.2	1
CAB-AC-C5	Power supply cord Type C5 U.S.	1
ASA5500-BA-K9	ASA 5500 license (3DES/AES) encryption	1
ASA5505-PWR-AC	ASA 5505 power adapter	1
ASA5505-SW-10	ASA 5505 10 user software license	1
SSC-WHITE	ASA 5505 hood SSC of the location empty	1
ASA-ANYCONN-CSD-K9	ASA 5500 AnyConnect Client + Cisco Security Office software	1

Part number:	Description	QTY.
ASA5520-BUN-K9	ASA 5520 appliance with SW HA, 4GE + 1FE, 3DES/AES	2
CON-SNT-AS2BUNK9	SMARTNET 8X5XNBD ASA5520 w/300 VPN Prs 4GE + 1FE3DES/AES	2
ASA5520-VPN-PL	ASA 5520 VPN over 750 IPsec User License (7.0 only)	2
ASA-VPN-CLNT-K9	Cisco VPN Client (Windows Solaris Linux Mac) software	2
SF - ASA - 8.2 - K8	ASA 5500 Series Software v8.2	2
CAB - ACU	Power supply cord (UK) C13 BS 1363 2.5 m	2
ASA-180W-PWR-AC	Power supply ASA 180W	2
ASA5500-BA-K9	ASA 5500 license (3DES/AES) encryption	2
ASA-ANYCONN-CSD-K9	ASA 5500 AnyConnect Client + Cisco Security Office software	2
SSM-WHITE	ASA/IPS SSM hood of the location	2

Thanks in advance.

Rashed Ward.

Okay, I was not quite correct in my first post.

These modules - modules only available for corresponding models of ASA.

They all can act as IPS (inline mode) or IDS ("Promiscuous" mode), depending on how you configure your policies.

When acting as IPS, ASA redirects all traffic through the module, then all the traffic is inspected and can be dropped inline if a signature is triggered.

When she acts as an ID, ASA a few exemplary traffic is the module for inspection, but the actual traffic is not affected by the module, as it's not inline in this case.

In addition, these modules can be both comdination. That is part of the traffic can be inspected "inline", when some other (more sensitive) traffic can be inspected in promiscuous mode.

To better understand, familiarize themselves with this link:

http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/modules_ips.html

FTP Server - Can´t access my account

Hello!
I bought the web-hosting with BC and my go daddy domain name. When I wrote my domain name (www.seassmokeproduction) on the browser, they redirect me to the site, but the domain change of http://seasmoketest.businesscatalyst.com/index.html , also I'm trying to connect to my account of catalyst but error. I don't know if the solution is related to the FTP server, but also I don't have the port number. Catalyst just sent me the Bill.
@

Hi Michelle,

You must update the record for the domain www and non www seasmokeproductions.com points to 54.246.209.93. Once you have done this, your name domain and then successfully solves your Business Catalyst site. More information on this can be found here: http://docs.businesscatalyst.com/user-manual#! e-to-your-site-using-an-external-dns-server /site-settings/site-domains/add-a-domain-nam

About connecting to your site via FTP, please see the following article: http://docs.businesscatalyst.com/user-manual#! /site-design/connecting-to-your-site-using-s ftp

See you soon.

The ASA with crossed VPN Port forwarding

Hello

I worked on a question for a while and I have managed to track down the issue, but I don't know how to solve the problem.

I have an ASA 5505 8.4 (7) running with a tunnel for incoming remote users anyconnect vpn. I also want to configure incoming Web server port forwarding.

The question seems to be traversed rule which stops incoming port forwarding:

NAT (outside, outside) NETWORK_OBJ_172.16.1.0_28 interface description dynamic source hairpin to natting users vpn on the external interface

When I disable the port forwarding will work perfectly (according to tracer packet that is).

I have attached the config to this post. I would appreciate any idea how to get the through VPN and the transfer to the incoming port working.

The config has been condensed to remove unneed config.

Thank you

Hello

What is the configuration commands, you use to put in place the static PAT (Port Forward)?

The problem is most likely order of the NAT configurations such as configuring NAT above in the upper part of the NAT configurations.

Configuring static PAT, that you could use to make it work would be

the SERVER object network

host

service object WWW

tcp source eq www service

NAT (server, on the outside) of the interface to the static SERVER 1 source WWW WWW service

The above assumes the source for the host interface is "Server" and the service that you want to PAT static TCP/80.

Note that we add the number '1' in the 'nat' command. This will add at the top. The same should be done for any other static PAT you configure you want for these VPN Clients.

Hope this helps

-Jouni

ASA 5505 cannot configure FTP and I tried almost everything

Not sure if my device is faulty or not, but I'm running on a base license and cannot establish an FTP connection for the life of me. Here is my config;

Thanks in advance...

ASA Version 7.2 (2)
!
ciscoasa hostname
domain default.domain.invalid
activate the encrypted password of TGFUt.AsMHJOyury
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
DNS server-group DefaultDNS
domain default.domain.invalid
access-list extended 100 permit tcp any host 192.168.1.110 eq ftp
access-list extended 100 permit tcp any host 192.168.1.110 eq ftp - data
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 522.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect
Timeout, uauth 0:05:00 absolute
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.1.2 - 192.168.1.33 inside
dhcpd allow inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:641863a581e04222e46e2ab17a880147
: end

Where is the static nat translation, or configuration of port forwarding?

you have bellows acl lines, these access lists is not yet applied to the external interface of the firewall.

access-list extended 100 permit tcp any host 192.168.1.110 eq ftp
access-list extended 100 permit tcp any host 192.168.1.110 eq ftp - data

How the outside internet hosts are able to connect to a non-public such as the 192.168.1.110 IP address?

you need little things to fix in your configuration, your external interface is first attributed to dynamic ip for ISPS to provide the public IP seen in your config like:

interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute

Number 1- because we don't know what address IP of the ISP dynamically given the firewall, you must know what address is provided by the show on the asa show ip interface brief command line and take notes on the IP Vlan2... that Ip address will be the use of a single for hosts on the internet so you can connect to your FTP 192.168.1.110 server.

Number 2 - because you do not spared a public IP address to use a one-to-one translation NAT for your server ftp within a public IP to the outside address, you must use the keyword interface on your translation of static port and the real access list 100 for the firewall to allow this connection and sends the request to the server ftp inside.

public static tcp (indoor, outdoor) interface 192.168.1.110 ftp ftp netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ftp - data 192.168.1.110 ftp - data netmask 255.255.255.255

Then re - configure acl 100 as below and apply it to the external interface

access-list extended 100 permit tcp any which interface outside eq ftp
access-list extended 100 permit tcp any which interface outside eq ftp_data

Access-group 100 in external interface

Finally, make sure you have your FTP server is running, don't forget not that from outside you will be using the public IP address you got output show ip interface brief , which will be the IP address that will be used to FTP from the outside to the inside.

Need help! ASA 5505 not PPTP passthrough to the Server internal

Hello:

Recently, I add a new Cisco ASA 5505 like Firewall of the company network. I found that the PPTP authentication has not obtained through internal Microsoft Server. Any help and answer are appriciated.

Please see my setup as below. Thank you!

ASA Version 8.4 (3)
!
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.29.8.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 177.164.222.140 255.255.255.248
!
passive FTP mode
clock timezone GMT 0
DNS server-group DefaultDNS
domain ABCtech.com
permit same-security-traffic inter-interface
network obj_any object
172.29.8.0 subnet 255.255.255.0
service object RDP
source eq 3389 tcp service
Orange network object
Home 172.29.8.151
network of the WAN_173_164_222_138 object
Home 177.164.222.138
SMTP service object
tcp source eq smtp service
service object PPTP
tcp source eq pptp service
service of the JT_WWW object
tcp source eq www service
service of the JT_HTTPS object
tcp source eq https service
network obj_lex object
172.29.88.0 subnet 255.255.255.0
network of offices of Lexington Description
network obj_HQ object
172.29.8.0 subnet 255.255.255.0
guava network object
Home 172.29.8.3
service object L2TP
Service udp source 1701 eq
Standard access list VPN_Tunnel_User allow 172.29.8.0 255.255.255.0
Standard access list VPN_Tunnel_User allow 172.29.88.0 255.255.255.0
inside_access_in list extended access permit icmp any one
inside_access_in tcp extended access list deny any any eq 135
inside_access_in tcp extended access list refuse any eq 135 everything
inside_access_in list extended access deny udp any what eq 135 everything
inside_access_in list extended access deny udp any any eq 135
inside_access_in tcp extended access list deny any any eq 1591
inside_access_in tcp extended access list refuse any eq 1591 everything
inside_access_in list extended access deny udp any eq which 1591 everything
inside_access_in list extended access deny udp any any eq 1591
inside_access_in tcp extended access list deny any any eq 1214
inside_access_in tcp extended access list refuse any eq 1214 all
inside_access_in list extended access deny udp any any eq 1214
inside_access_in list extended access deny udp any what eq 1214 all
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access permit tcp any any eq www
inside_access_in list extended access permit tcp any eq www everything
outside_access_in list extended access permit icmp any one
outside_access_in list extended access permit tcp any host 177.164.222.138 eq 3389
outside_access_in list extended access permit tcp any host 177.164.222.138 eq smtp
outside_access_in list extended access permit tcp any host 177.164.222.138 eq pptp
outside_access_in list extended access permit tcp any host 177.164.222.138 eq www
outside_access_in list extended access permit tcp any host 177.164.222.138 eq https
outside_access_in list extended access allowed grateful if any host 177.164.222.138
outside_access_in list extended access permit udp any host 177.164.222.138 eq 1701
outside_access_in of access allowed any ip an extended list
inside_access_out list extended access permit icmp any one
inside_access_out of access allowed any ip an extended list
access extensive list ip 172.29.8.0 outside_cryptomap allow 255.255.255.0 172.29.88.0 255.255.255.0
inside_in list extended access permit icmp any one
inside_in of access allowed any ip an extended list
inside_in list extended access udp allowed any any eq isakmp
inside_in list extended access udp allowed any isakmp eq everything
inside_in list extended access udp allowed a whole
inside_in list extended access permitted tcp a whole
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
local pool ABC_HQVPN_DHCP 172.29.8.210 - 172.29.8.230 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT static orange interface (inside, outside) source RDP RDP service
NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_lex obj_
Lex-route search
NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_WWW JT_WWW
NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_HTTPS JT_HTTPS
NAT guava Shared source (internal, external) WAN_173_164_222_138 service RDP RDP
NAT guava Shared source (internal, external) WAN_173_164_222_138 SMTP SMTP service
NAT guava Shared source (internal, external) WAN_173_164_222_138 PPTP PPTP service
NAT guava Shared source (internal, external) WAN_173_164_222_138 service L2TP L2TP
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
inside_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
Route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol nt guava
AAA-server host 172.29.8.3 guava (inside)
Timeout 15
guava auth - NT domain controller
identity of the user by default-domain LOCAL
Enable http server
http 172.29.8.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_Set ikev1
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_vpn_set ikev1
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto-map Dynamics 20 ikev1 transform-set Remote_VPN_Set set outside_dyn_map
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
card crypto outside_map 1 match address outside_cryptomap
peer set card crypto outside_map 1 173.190.123.138
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet 192.168.1.0 255.255.255.0 inside
Telnet 172.29.8.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0

dhcpd auto_config off vpnclient-wins-override
!
dhcprelay Server 172.29.8.3 on the inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
internal ABCtech_VPN group strategy
attributes of Group Policy ABCtech_VPN
value of server DNS 172.29.8.3
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_Tunnel_User
value by default-field ABCtech.local
internal GroupPolicy_10.8.8.1 group strategy
attributes of Group Policy GroupPolicy_10.8.8.1
VPN-tunnel-Protocol ikev1, ikev2
name of user who encrypted password eicyrfJBrqOaxQvS
tunnel-group 10.8.8.1 type ipsec-l2l
tunnel-group 10.8.8.1 General-attributes
Group - default policy - GroupPolicy_10.8.8.1
IPSec-attributes tunnel-group 10.8.8.1
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
tunnel-group ABCtech type remote access
attributes global-tunnel-group ABCtech
address ABC_HQVPN_DHCP pool
authentication-server-group guava
Group Policy - by default-ABCtech_VPN
IPSec-attributes tunnel-group ABCtech
IKEv1 pre-shared-key *.
tunnel-group 173.190.123.138 type ipsec-l2l
tunnel-group 173.190.123.138 General-attributes
Group - default policy - GroupPolicy_10.8.8.1
IPSec-attributes tunnel-group 173.190.123.138
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the pptp
inspect the ftp
inspect the netbios
!
172.29.8.3 SMTP server
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:6a26676668b742900360f924b4bc80de
: end

Hello Wayne,

The first thing I noticed

In the ACL you are pointing to the broad public while it should be to the private sector (YOU HAVE A PERMIT IP ANY ANY to the end, so it's not bad. FYI, if you decide to take this one any allowed ip address then you should point to private servers ip addresses)

Now, the policy where the PPTP inspection, etc., will be used is not applied to any service-policy so add:

global service-policy global_policy

Don't forget not just for a PPTP connection to get established we should see 2 things:

-Trading is done on the TCP 1723 port and then traded on Appreciate data packets.

Follow my blog for more information on this topic:

http://laguiadelnetworking.com/2012/12/22/what-is-new-on-the-PPTP-inspection-on-the-ASA/

Try and let me know

Julio

Configure an FTP server behind ASA 5505, need some sort of port forwarding

Similar Questions

Limitations of compatibility with Microsoft Internet Information Server (IIS)

Maybe you are looking for