Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
972
Views
0
Helpful
4
Replies

ASA 5505 won't pass ports through fw/NAT

Scott Quinn
Level 1
Level 1

‎11-16-2011 06:54 PM - edited ‎03-11-2019 02:52 PM

We're trying to get a remote access setup for someone who needs to have access from offsite. To make things easy we set it up with a virtual machine running Windows 7 and RDP. Because the "other end" isn't our computer and we've had some difficulties with people using the Cisco VPN client successfully, we were just going to set up a machine as a RDP Gateway and forward the port through the firewall (WebVPN might be nice, but the plugins only do RDP through v5.x). I've tried this on 8.4-1 and after reinstalling the latest 8.2, and supposedly the NAT works and there is a firewall rule allowing access from the outside to the RD-GW server on HTTPS, but the ASA is still blocking those packets. I've looked at 4 howtos and followed them, trying from the console and from ADSM (and one trashed the whole setup, probably related to the reinstall of 8.2) - what am I doing wrong?

Thank you!

Config:

Result of the command: "show config"

: Saved
: Written by enable_15 at 02:42:50.752 UTC Thu Nov 17 2011
!
ASA Version 8.4(2)
!
hostname g(...)

domain-name vinemapleplace.org
enable password (...) encrypted
passwd (...) encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 173.10.100.2 255.255.255.248
!
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 68.87.69.146
domain-name vinemapleplace.org
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network VMP-RA1
host 192.168.0.a
description VMP-RA1 INSIDE
object network VMP-RA1P
host 173.10.b.c
description VMP-RA3 OUTSIDE
object network mail.vinemapleplace.org
host 207.97.d.e
description mail server at CWW
object network VMPDC2
host 192.168.0.f
description Secondary DC/Remote Access Gateway
object network VMPDC2P
host 173.10.g.h
description VMPDC2 public IP
object-group service RDP tcp
description MS RDP service
port-object eq 3389
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_2 tcp
port-object eq imap4
port-object eq pop2
port-object eq pop3
port-object eq smtp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access extended permit tcp any object VMPDC2 eq https
access-list outside_access extended permit tcp any object VMP-RA1 object-group RDP inactive
access-list inside_access_in remark DNS
access-list inside_access_in extended permit object-group TCPUDP any any eq domain
access-list inside_access_in remark FTP
access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit tcp any any eq hostname
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit tcp any any eq ssh
access-list inside_access_in extended permit udp any any eq ntp
access-list inside_access_in extended permit object-group TCPUDP any any eq echo
access-list inside_access_in extended permit udp any any eq nameserver
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit tcp any object mail.vinemapleplace.org object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit tcp any any object-group RDP
access-list inside_access_in extended permit ip any any inactive
access-list global_access extended permit tcp any object VMP-RA1 object-group RDP inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network VMP-RA1
nat (inside,outside) static VMP-RA1P
object network VMPDC2
nat (inside,outside) static VMPDC2P service tcp https https
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access in interface outside
access-group global_access global
!
router rip
!
route outside 0.0.0.0 0.0.0.0 173.10.h.i 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VMP_Users protocol ldap
aaa-server VMP_Users (inside) host 192.168.0.j
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca (...)
  quit
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.0.5-192.168.0.254 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:(...)

Labels:
0 Helpful
4 Replies 4

Maykol Rojas
Cisco Employee
Cisco Employee

‎11-16-2011 07:10 PM

The first nat rule is actually taking all over the NAT configuration. Try with a more specific one and that is first than the regular PAT.

Try this,

nat (inside,outside) source static VMP-RA1 VMP-RA1P

That will translate RA1 to RA1P, so the outside users should access RAIP to get to the host RA1.

Let me know.

Mike

Mike
0 Helpful

Scott Quinn
Level 1
Level 1
In response to Maykol Rojas

‎11-16-2011 07:46 PM

I'm worried about getting rid of that first rule, because isn't that the one that allows the other inside users to share the NAT/PAT internet connection for their work (e-mail, web browsing, etc.)?

0 Helpful

Scott Quinn
Level 1
Level 1
In response to Scott Quinn

‎11-16-2011 08:13 PM

Got it to work - I was messing with the ASDM's "Public Servers" thing and somehow, though I wasn't able to get the direct-to-RDP thing to work, I was able to get the more secure RDP-gateway thing over HTTPS to work.

Still can't figure out exactly what I did differently this time...

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to Scott Quinn

‎11-16-2011 08:31 PM

Hi Scott,

Well, I did not say to remove that line, just to add the one that I put. The problem is that NAT is read from top to bottom, and the first line you have is the one for internet access (Regular PAT) no other NAT is going to take precedense.  The NAT config that I put will be located on the manual NAT section, so it will first hit that one (for that specific host) and then, the rest of the hosts are going to go with the regular PAT.

Mike

Mike
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card