topic Re: ASA Port Forwarding Issue in Network Security

ASA Port Forwarding Issue

robert3kennedy — Thu, 02 Jan 2020 15:00:11 GMT

Hi, Im looking for a bit of assistance, Im pretty sure im making a silly mistake somewhere. I am trying to allow port 3389 through ASA to a host for RDP. I will eventually tie it down so it can only be accessed from one location.

ASA Version 9.8(2)38

ASDM Version 7.8(1)

Screenshots of NAT and ACL rules attached. It is failing the packet tracer on the ASA at the NAT section.

Any help appreciated.

Thanks

Re: ASA Port Forwarding Issue

robert3kennedy — Thu, 02 Jan 2020 15:00:37 GMT

Re: ASA Port Forwarding Issue

Karsten Iwen — Thu, 02 Jan 2020 16:26:47 GMT

The ACL-picture does not show the relevant part. Did you use the internal Host as the destination in your ACL? That is what has to be done. And what is the output of packet-tracer? "it fails" is not a problem-description. It could be the wrong order of NAT-statements, but you also don't show them. Hard to help without this information...

Re: ASA Port Forwarding Issue

robert3kennedy — Fri, 03 Jan 2020 10:02:24 GMT

Sorry about that, Too quick editing screencaps, New ones below, as well as the relevant lines from show run

object service RDP
service tcp destination eq 3389
description RDP
object network RDP_HOST
host 192.168.50.50
access-list OUTSIDE_access_in extended permit object RDP any object RDP_HOST

object network RDP_HOST
nat (INSIDE,OUTSIDE) static interface service tcp 3389 3389
!

Re: ASA Port Forwarding Issue

Karsten Iwen — Fri, 03 Jan 2020 10:51:18 GMT

At least the config looks fine. What is your packet-tracer command? Did you also test real traffic? Perhaps it is working but you only did a mistake in packet-tracer?

The correct packet-tracer command would be:

packet-tracer input OUTSIDE tcp 1.2.3.4 1234 IP-OF-YOUR-OUTSIDE-INTERFACE 3389

Re: ASA Port Forwarding Issue

robert3kennedy — Fri, 03 Jan 2020 11:04:31 GMT

Hi, thanks for that. I thought I was doing something stupid. I ran the packet tracer through ASDM GUI in the example before. However the example below seems to be different

Result of the command: "packet-tracer input OUTSIDE tcp 192.168.50.50 3389 OUTSIDEINTERFACEIP 3389"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop OUTSIDEINTERFACEIP using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: ASA Port Forwarding Issue

Karsten Iwen — Fri, 03 Jan 2020 12:01:12 GMT

Again, your packet-tracer command is wrong. The source MUST be an IP that is located (based on the routing-table) on the outside interface. Because of that I always use 1.2.3.4 as the source.

Re: ASA Port Forwarding Issue

robert3kennedy — Fri, 03 Jan 2020 12:10:05 GMT

Apologies, and thanks again,

Result of the command: "packet-tracer input OUTSIDE tcp 1.2.3.4 1234 OUTSIDEIP 3389"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: ASA Port Forwarding Issue

Karsten Iwen — Fri, 03 Jan 2020 12:47:04 GMT

Again, something goes wrong here as the ASA thinks that the destination is also outside (should be the interface where the host 192.168.50.50 is located) and it does not match a NAT rule. Double-check the OUTSIDEIP in the packet-tracer.

Re: ASA Port Forwarding Issue

robert3kennedy — Fri, 03 Jan 2020 12:53:55 GMT

Forgive me if I’m mistaken here, should outsideip, not be the public address on the ASA, at least that’s what I took from the original description. If that’s the case, then it is.

Thanks

Re: ASA Port Forwarding Issue

Karsten Iwen — Fri, 03 Jan 2020 13:29:53 GMT

Yes, it has to be the IP of the outside interface of the ASA as that is the IP for which the translation is configured. But the output of the packet-tracer says it is not ...

Re: ASA Port Forwarding Issue

robert3kennedy — Fri, 03 Jan 2020 13:53:34 GMT

Hi, Thanks

In that case there must be another misconfiguration issue somewhere, as the command was definitely run using the public IP address of the ASA. I have run it again and got the same output, to check.

Re: ASA Port Forwarding Issue

robert3kennedy — Fri, 03 Jan 2020 14:05:13 GMT

Result of the command: "packet-tracer input OUTSIDE tcp 1.2.3.4 1234 x.x.x.x 3389"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.x using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: ASA Port Forwarding Issue

Karsten Iwen — Fri, 03 Jan 2020 14:56:27 GMT

Is your NAT-command still in the config or have you removed it accidentally?

Re: ASA Port Forwarding Issue

robert3kennedy — Fri, 03 Jan 2020 14:59:49 GMT

It is still there and I can see the XLATE in the table

Result of the command: "show xlate | i 192.168.50.50"

TCP PAT from any:192.168.50.50 3389-3389 to OUTSIDE:217.39.144.61 3389-3389

Re: ASA Port Forwarding Issue

Karsten Iwen — Fri, 03 Jan 2020 16:24:12 GMT

so the translation seems to be in place. But not in a way that corresponds to your above config. In your nat-statement you have

nat (INSIDE,OUTSIDE) ...

and the XLATE should read

TCP PAT from INSIDE:192.168.50.50 3389-3389 to OUTSIDE:217.39.144.61 3389-3389

And the packet-tracer should list the UN-NAT in Phase 2 (an example from my ASA):

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network WIN-SERVER
 nat (inside,outside) static interface service tcp 3389 3389
Additional Information:
NAT divert to egress interface inside
Untranslate 192.0.2.100/3389 to 10.1.1.21/3389

In this working scenario, my NAT-statement, XLATE, and packet-tracer-command are the following. Compare that to your config and testing:

object network WIN-SERVER
 host 10.1.1.21
object network WIN-SERVER
 nat (inside,outside) static interface service tcp 3389 3389

TCP PAT from inside:10.1.1.21 3389-3389 to outside:192.0.2.100 3389-3389

packet-tracer input outside tcp 1.2.3.4 1234 192.0.2.100 3389

Re: ASA Port Forwarding Issue

robert3kennedy — Fri, 03 Jan 2020 18:35:19 GMT

TCP PAT from INSIDE:192.168.50.50 3389-3389 to OUTSIDE:X.X.X.X 3389-3389

is now how the XLATE presents,

However, when running the packet trace, still no change, and no UN-NAT at phase 2

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop X.X.X.X using egress ifc identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Current relevant config

object service RDP
service tcp destination eq 3389
description RDP
object network RDP_HOST
host 192.168.50.50
!
object network RDP_HOST
nat (INSIDE,OUTSIDE) static interface service tcp 3389 3389