topic Hello Karsten, in Network Security

Static NAT configuration on ASA5520 (8.4+)

paveldudaibm — Tue, 12 Mar 2019 07:52:40 GMT

Hello,

I'm trying to setup static NAT for inbound RDP traffic to several servers on the inside network but I have troubles to make it work.

My configuration is like:

interface Gi0/0

nameif Internet

security-level 10

ip address 192.168.1.2 255.255.255.128

interface Gi0/1

nameif someothernet

ip address 172.16.0.1 255.255.255.128

interface Gi0/2

nameif Serverdp

ip address 10.0.0.1 255.255.255.0

object network rdp-internal

host 10.0.0.10

nat (Serverdp,Internet) static 192.168.1.15 service tcp 3389 3389

access-list Inbound extended permit tcp any host 10.0.0.10 eq 3389

access-group Inbound in interface Internet

When I try to connect to 192.168.1.15:3389 I'm getting %ASA-6-110003 routing failed to locate next for for TCP from Internet:xxxxx to serverdp:10.0.0.10/3389

Am I missing some step in this configuration?

Thanks

Two things to check in your

Karsten Iwen — Mon, 13 Jun 2016 15:57:08 GMT

Two things to check in your config:

Is the routing to the internet correct?
Is there any NAT configured incorrectly in section 1 of the NAT-rules

Hello,

David Castro F. — Mon, 13 Jun 2016 16:18:19 GMT

Hello,

Can you please share the show run of this ASA, and according to the log the ASA is indeed dropping it,

This error occurs when the ASA tries to find the next hop on an interface routing table. Typically, this message is received when ASA has a translation (xlate) built to one interface and a route pointing out a different interface. Check for a misconfiguration on the NAT statements. Resolution of the misconfiguration may resolve the error.

Also afterwards taking captures on both interfaces will give us a better overview,

Please proceed to rate and mark as correct the helpful post!

Thanks,

David Castro,

Hello Karsten,

paveldudaibm — Tue, 14 Jun 2016 06:22:50 GMT

Hello Karsten,

yes the routing to internet works fine. I have few other dynamic rules on the other interface(s) and they works fine. Anyway I was able to get hands on one spare ASA device and replicate the configuration and it works so it seems that the problem is on the remote device or with the network connected to the Gi0/2 (unless it is some kind of bug on that particular ASA dev). I'm working remotely and customer says everything is fine on their end and all servers on network behind the ASA are configured properly. I will ask them to test cables and connect some workstation to the port directly + do some packet tracing.

Did the other ASA run the

Karsten Iwen — Tue, 14 Jun 2016 07:23:04 GMT

Did the other ASA run the exact same version? There were changes in NAT-behavior in the past.

I still would expect the problem in the section1 of your NAT config.

Yes they are running same

paveldudaibm — Tue, 14 Jun 2016 10:34:44 GMT

Yes they are running same version so should not be affected by those changes which took place in 8.3+ if I recall correctly the version. I'm waiting for on-site support to check the cabling and network settings so let's see...

So the problem was really on

paveldudaibm — Thu, 07 Jul 2016 13:00:06 GMT

So the problem was really on the network behind the ASA not with the NAT rules :-).