ASA 9 Port forwarding problem

Ivan Kurguzov — Tue, 12 Mar 2019 04:49:33 GMT

Hello.

Need help.

There is a simple task - to publish port #3389 to the Internet (through the outside interface and address 195.xxx.). The port belongs to a host on the internal network (192.168.00/23).

Equipment - ASA 5510 9.0 (1)

Here are the contents of the config:

object network 1921681222
host 192.168.1.222

object service rdp
service tcp destination eq 3389

object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_11rw
network-object object 192168010
network-object object 19216806
network-object object 192168012
network-object object 1921681222
access-list INSIDE_access_in extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_11 any
access-list OUTSIDE1_access_in_1 extended permit object rdp any object 1921681222
object network 1921681222
nat (INSIDE,OUTSIDE1) static interface service tcp 3389 3389

Results of Packet-tracer:

asaGW1# packet-tracer input OUTSIDE1 tcp 1.1.1.1 15678 195.112.112.116 3389

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 1921681222
nat (INSIDE,OUTSIDE1) static interface service tcp 3389 3389
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 195.112.112.116/3389 to 192.168.1.222/3389

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE1_access_in_1 in interface OUTSIDE1
access-list OUTSIDE1_access_in_1 extended permit object rdp any object 1921681222
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
<--- More --->

Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network 1921681222
nat (INSIDE,OUTSIDE1) static interface service tcp 3389 3389
<--- More --->

Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 63185, packet dispatched to next module

Result:
input-interface: OUTSIDE1
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow

The problem is that the packets do not reach the host. Wireshark on the host sees only ARP or ICMP packets. ASA is set as a default gateway on the host. Anti-virus and firewall are disabled.

What could cause the problem?

I suggest setting up a packet

Marius Gunnerud — Fri, 26 Sep 2014 10:31:19 GMT

I suggest setting up a packet capture between the two hosts on the outside interface and the inside interface. Then try to establish an RDP session to the local server and check the output of the packet capture. If you see the traffic entering the outside interface and leaving the inside interface but you see no return traffic then the issue is either on the network between the ASA and the server or the server is misconfigured. If you do not see the traffic entering the outside interface then there could be an issue with NAT or ACL.

https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios

Please remember to select a correct answer and rate helpful posts

topic I suggest setting up a packet in Network Security

ASA 9 Port forwarding problem

I suggest setting up a packet