Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
0
Helpful
3
Replies

WAN failover and port mapping

Go to solution
Talal Abbas
Level 1
Level 1

‎07-05-2013 01:45 PM - edited ‎03-11-2019 07:07 PM

Hello,

I had an ASA5505 running OK with port mapping for few servers from the outside interface to the inside to enable remote desktop.

I then added the commands necessary to enable WAN failover though another ISP. once I had this running and tested OK, port mapping stopped working.

I have verified that I am still on the main ISP when we tried remote desktop (since I haven't added the necessary lines yet).

Attached is the current configuration (with WAN failover working but not port mapping). Just to confirm, I haven't made any changes to port mapping so it should still run if we are still on the main (old) ISP with no change in IP addressing.

Please help

regards,

Talal

Labels:
15363581-ASA1.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎07-05-2013 09:54 PM

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any source-quench

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

access-group 101 in interface outside

access-group 101 in interface VSAT

If this is for RDP... It will not work,

You are just allowing some ICMP messages,

Change the ACLs as required and u should be fine

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎07-05-2013 09:54 PM

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any source-quench

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

access-group 101 in interface outside

access-group 101 in interface VSAT

If this is for RDP... It will not work,

You are just allowing some ICMP messages,

Change the ACLs as required and u should be fine

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Talal Abbas
Level 1
Level 1
In response to Julio Carvajal

‎07-06-2013 07:57 AM

Hello,

I managed to fix this by allowing the port numbers associated with each virtual server.

An example would look like this:

access-list 101 extended permit tcp any host xxx.xxx.xxx.211 eq 10003

best regards,

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Talal Abbas

‎07-06-2013 12:31 PM

Hello,

Exactly, that'w what you were missing,

any other question, otherwise mark the question as answered

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card