cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


704
Views
0
Helpful
3
Replies
Highlighted
Beginner

Cisco ASA 5505 Simple PAT

Good morning you clever bunch,

Having a real issue here, am used to the Router\Switch CLI but been asked to set up an ASA 5505 8.4.

Quite simply I am trying to at least test out a static PAT from an external source to an internal server in a test environment and no matter whether I set it up as an auto-nat or a twice-nat whenever I run a packet tracer I end up with the same error. This is the packet-tracer I am running -

packet-trace input outside tcp 80.80.80.80 3389 10.240.0.10 3389

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside,outside) source static server publicIP service RDP RDP

Additional Information:


Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Now I have a couple of questions initially. I have made the presumption that packet-tracer does not look at any external devices while running - as in as long as the ports are up it doesn't matter what is on the end of them for testing purposes? Is there anything I am missing?

I have this morning wiped the config and have simply set up the adapters, a default route and twice nat and am not sure why I keep getting the error. I am sure it is something very simple and I'm being a massive donut! Any help ios greatly appreciated as I've gotten quite stuck and feel like I have followed all the instructions online and just about trie everything.

Many thanks,

Sam - below is my running config


ASA Version 8.4(4)1
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.240.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 80.*.*.203 255.255.255.248
!
ftp mode passive
object network server
host 10.240.0.10
object network publicIP
host 80.*.*.37
object service RDP
service tcp source eq 3389
access-list ouside_in extended permit tcp any host 10.240.0.10 eq 3389
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static server publicIP service RDP RDP
access-group ouside_in in interface outside
route outside 0.0.0.0 0.0.0.0 80.*.*.201 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e67c79a8361f7b6aa3a7dd549f85e818
: end

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Cisco ASA 5505 Simple PAT

Is that a correct public IP that you are using?

80.*.*.37 does not seem to be in the same subnet as 80.*.*.203/29

With the packet tracer, you would need to access it towards the public IP, not the private IP because from the outside host, it won't know about the private ip, hence you would need to use:

packet-trace input outside tcp 80.80.80.80 3389 80.*.*.37 3389

3 REPLIES 3
Cisco Employee

Cisco ASA 5505 Simple PAT

Is that a correct public IP that you are using?

80.*.*.37 does not seem to be in the same subnet as 80.*.*.203/29

With the packet tracer, you would need to access it towards the public IP, not the private IP because from the outside host, it won't know about the private ip, hence you would need to use:

packet-trace input outside tcp 80.80.80.80 3389 80.*.*.37 3389

Beginner

Cisco ASA 5505 Simple PAT

Hi Jennifer,

No I just changed that for testing purposes as I had tried everything I thought was correct to no avail.

You, Jennifer, are my new hero.... literally on the config side I was trying everything and was completely barking up the wrong tree! Every time I had set up packet tracer that way, you can understand my logic when it comes to the destination address, seeing as I had already specified the outside adapter, but it makes a lot more sense using the outside host. Flow is now running perfectly.

Many thanks.

Sam

Cisco Employee

Cisco ASA 5505 Simple PAT

Excellent.. great to hear all is running perfectly. Thanks for the update.