NAT issue on ASA 5510 8.2(4)

binoj.savariyar · ‎08-16-2011

Hi,

I am facing some issues on static NAT

after my IOS upgrade from 7.2(3)

I am getting some peculiar error

%ASA-6-302013: Built inbound TCP connection 654734 for dmz:172.19.19.141/27685 (172.19.19.141/27685) to inside:192.168.16.250/3389 (172.19.22.91/3389)

%ASA-6-302014: Teardown TCP connection 654734 for dmz:172.19.19.141/27685 to inside:192.168.16.250/3389 duration 0:00:00 bytes 0 TCP Reset-I

Configuration

static (inside,dmz) 172.19.22.91 192.168.16.250 netmask 255.255.255.255

access-group dmz_in in interface dmz

access-list dmz_in extended permit ip host 172.19.19.141 host 172.19.22.91

I am trying to access a machine in Inside from Dmz

interface Ethernet0/2

nameif dmz

security-level 50

interface Ethernet0/1

nameif inside

security-level 100

Mohammad Alhyari · ‎08-22-2011

Hi ,

your config looks fine , and the messages that you are seeing are normal , the first one the RDP connection is being established and the second one shows the connections is torn down because of a reset from the initiator .

you can use captures to see what exactly the client and the server are exchanging as follow :

access-list capdmz permit ip host [host in the dmz] host [ip address of the server on the dmz ]

access-list capdmz permit ip host [ip address of the server on the DMZ] host [host in the DMZ ]

cap capdmz access-list capdmz interface dmz

access-list capinside permit ip host [host in the DMZ] host [ip address of the server in the inside ]

access-list capinsdie permit ip host [ip address of the server in the inside] host [host in the dmz]

cap capinside access-list capinsdie interface inside

to show the captures :

show cap capdmz

show cap capinside

cheers!