topic Port forwarding problem in Network Security

Port forwarding problem

henry9876 — Mon, 11 Mar 2019 23:30:09 GMT

Hello all, looking for some assistance.

I am simply trying to grant RDP access from the outside Internet to an internal host -- 10.0.11.254 -- on the inside-2 network. The config below is edited, but I think I have all the relevant pieces in there.

Thanks for taking a look!

-----------------

: Saved

: Written by enable_15 at 20:17:55.312 UTC Wed Jul 11 2012

ASA Version 8.2(1)

name 170.1.1.1 WAN-IP

interface Vlan1

nameif inside

security-level 100

ip address 10.0.3.2 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address WAN-IP 255.255.255.248

interface Vlan3

nameif inside-2

security-level 100

ip address 10.0.11.2 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

switchport protected

speed 100

duplex full

interface Ethernet0/1

switchport protected

speed 100

duplex full

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

switchport access vlan 3

speed 100

duplex full

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service rdp tcp

description for port 3389

port-object eq 3389

access-list outside_rdp_in extended permit tcp any interface outside eq 3389

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside-2) 1 0.0.0.0 0.0.0.0

static (inside-2,outside) tcp interface 3389 10.0.11.254 3389 netmask 255.255.255.255

static (inside,inside-2) 10.0.3.0 10.0.3.0 netmask 255.255.255.0

static (inside-2,inside) 10.0.11.0 10.0.11.0 netmask 255.255.255.0

access-group outside_rdp_in in interface outside

route outside 0.0.0.0 0.0.0.0 170.1.1.2 1

dynamic-access-policy-record DfltAccessPolicy

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

prompt hostname context

: end

Port forwarding problem

Karsten Iwen — Thu, 12 Jul 2012 06:31:31 GMT

Your NAT and ACL is in place. That looks good. Pleas post the output of the following command:

packet-tracer input outside tcp 1.2.3.4 1234 170.1.1.1 3389

Re: Port forwarding problem

henry9876 — Thu, 12 Jul 2012 07:38:52 GMT

Thank you, Karsten.

NOTE: The address 170.1.1.1 is not actual address. For the packet-trace, I replaced with actual outside address and the output follows.

ciscoasa# packet-tracer input outside tcp 1.2.3.4 1234 17x.x.x.x 3389

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside-2,outside) tcp interface 3389 10.0.11.254 3389 netmask 255.255.255.255

match tcp inside-2 host 10.0.11.254 eq 3389 outside any

static translation to WAN-IP/3389

translate_hits = 0, untranslate_hits = 1

Additional Information:

NAT divert to egress interface inside-2

Untranslate WAN-IP/3389 to 10.0.11.254/3389 using netmask 255.255.255.255

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_rdp_in in interface outside

access-list outside_rdp_in extended permit tcp any interface outside eq 3389

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside-2,outside) tcp interface 3389 10.0.11.254 3389 netmask 255.255.255.255

match tcp inside-2 host 10.0.11.254 eq 3389 outside any

static translation to WAN-IP/3389

translate_hits = 0, untranslate_hits = 1

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside-2,inside) inside-2-network inside-2-network netmask 255.255.255.0

match ip inside-2 inside-2-network 255.255.255.0 inside any

static translation to inside-2-network

translate_hits = 101, untranslate_hits = 249

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1556762, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside-2

output-status: up

output-line-status: up

Action: allow

Port forwarding problem

Jouni Forss — Thu, 12 Jul 2012 08:38:17 GMT

Hi,

Do you have somekind of LAN to LAN VPN configurations on the ASA or why is the packet-tracer giving a Phase for VPN also?

- Jouni

Re: Port forwarding problem

henry9876 — Thu, 12 Jul 2012 16:29:40 GMT

Yes, there are several LAN-to-LAN VPN tunnels. I cut those out of the posted config because I thought it wasn't relevant and it has a lot of public IPs + other revealing info.

I can edit and post it if you feel that it would be helpful.

I have some suspicion that the RDP request from outside is not even getting to the ASA. There is a "gateway" from our cable internet provider in front of the ASA, which might be doing some filtering. I will check that.