topic I am wondering if you need in Network Security

Cisco ASA 5515: Outside RDP to Server in DMZ

nsateam01 — Tue, 12 Mar 2019 07:55:47 GMT

Hello,

We have a Cisco ASA 5515 configured and in production today. We recently just added a DMZ and we have one server and a WLAN controller for guest Wifi internet access. Internet access from the server and guest wifi is up and working.

There is a need to allow RDP temporarily on the server and I have configured the ASA and cannot seem to get this to work. We have configured port forwarding before, so pretty familiar with the configuration. But I may be missing something here in the configurations on the ASA for the DMZ.

See attached pertinent configuration. I would think all this is right, but when i run a packet tracer I get this:

FLDC-VPN# packet-tracer input outside tcp 8.8.8.8 65000 17x.x.xx.xx 3389 det$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 17x.x.xx.xx using egress ifc outside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

I would appreciate any help in isolating this issue and let me know if I missed something in the configuration that needs to be verified.

Again, this is a production device and everything is working in the but the RDP from outside at the moment.

Thanks,
Brandon

Hi,

Aditya Ganjoo — Wed, 22 Jun 2016 00:25:18 GMT

Hi,

Not sure what is the ASA version but can you check match the following bug symptoms:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuc28796/?reffering_site=dumpcr

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Hello Aditya,

nsateam01 — Wed, 22 Jun 2016 15:04:33 GMT

Hello Aditya,

Thank you for the info. It looks like this bug does not apply as we have upgraded to 9.4 in our ASA.

-Brandon

I am wondering if you need

Richard Bradfield — Thu, 23 Jun 2016 07:18:35 GMT

I am wondering if you need "no-proxy-arp" in your nat statements

!
object network SERVER-41-RDP
 nat (DMZ,outside) static 17x.x.xx.XX  no-proxy-arp service tcp 3389 7900 
object network SERVER-41-HTTP
 nat (DMZ,outside) static 17x.x.xx.xx  no-proxy-arp service tcp www www 
object network SERVER-41-HTTPS
 nat (DMZ,outside) static 17x.x.xx.xx  no-proxy-arp service tcp https https
!

I had this same issue. The

jdsmith999 — Thu, 23 Jun 2016 16:04:02 GMT

I had this same issue. The problem was 2 different mapped IP addresses for the same inside host.

Internet <-> 1.1.1.1:25 <-> inside 10.10.10.10 port 25

Internet <-> 1.1.1.2:80 <-> inside 10.10.10.10 port 80

Internet <-> 1.1.1.2:443 <-> inside 10.10.10.10 port 443

object network DMZ_Proxy_SMTP
host 10.10.10.10
nat (DMZ1,Outside) static 1.1.1.1 service tcp 1025 smtp

object network DMZ_Proxy_HTTP
host 10.10.10.10
nat (DMZ1,Outside) static 1.1.1.2 service tcp www www

object network DMZ_Proxy_HTTPS
host 10.10.10.10
nat (DMZ1,Outside) static 1.1.1.2 service tcp https https

nat (Inside,Outside) after-auto source dynamic REAL_IP Public_IP_1.1.1.2
nat (any,Outside) after-auto source dynamic any interface

The first static worked as expected. The reason being the bi-directional operation of the static NAT. The second, because it was a different outside mapped IP was not getting NAT'd to the same IP going out. That is where the statement :

nat (Inside,Outside) after-auto source dynamic REAL_IP Public_IP_1.1.1.2

comes in.

Hi,

Aditya Ganjoo — Thu, 23 Jun 2016 17:05:58 GMT

Hi,

Apologies as I missed this.

Could you try using a manual NAT statement on line 1 and test this connection:

nat (dmZ,out) 1 source static SERVER-41 SERVER-NAT service obj-3389 obj-7900 route-lookup

Regards,

Aditya

Please rate helpful posts and mark correct answers.