Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1009
Views
0
Helpful
4
Replies

ASA 8.3 port forwarding issue.

Go to solution
Computer-MOI
Level 1
Level 1

‎10-07-2012 11:08 PM - edited ‎03-11-2019 05:05 PM

We have an issue with port forwarding in ASA 8.3, simply we want to access one local workstation on port 3389 from the Internet:

Workstation private IP: 10.1.1.15

Public IP which we set on ASA Vlan2: 90.149.70.133

Gateway: 90.149.70.129

ASA5505# show run
: Saved
:
ASA Version 8.3(1)
!
hostname ASA5505
enable password PLJJV7fsaXArGQRU encrypted
passwd 2MOQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.17 255.255.224.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 90.149.70.133 255.255.255.240
!
interface Ethernet0/0
 description connected to router 90.149.70.129
 switchport access vlan 2
!
interface Ethernet0/1
 description connected to 10.1.1.15
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
object network Workstation
 host 10.1.1.15
access-list list1 extended permit tcp any any
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network Workstation
 nat (inside,outside) static interface service tcp 3389 3389
access-group list1 in interface outside
route outside 0.0.0.0 0.0.0.0 90.149.70.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 60
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
Cryptochecksum:e643b0ac2da912ce04444eff720bf890
: end
ASA5505#

ASA5505# show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Workstation interface service tcp 3389 3389
    translate_hits = 0, untranslate_hits = 6
ASA5505#

ASA5505# show xlate
1 in use, 1 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:10.1.1.15 3389-3389 to outside:90.149.70.133 3389-3389
    flags sr idle 0:07:47 timeout 0:00:00
ASA5505#


Here is the debug from ASA when we try to connect from the Internet:

%ASA-6-302013: Built inbound TCP connection 770 for outside:90.149.70.132/2525 (90.149.70.132/2525) to inside:10.1.1.15/3389 (90.149.70.133/3389)
%ASA-6-302014: Teardown TCP connection 770 for outside:90.149.70.132/2525 to inside:10.1.1.15/3389 duration 0:00:30 bytes 0 SYN Timeout
%ASA-7-609002: Teardown local-host outside:90.149.70.132 duration 0:00:30
%ASA-7-609002: Teardown local-host inside:10.1.1.15 duration 0:00:30
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Harish Balakrishnan
Spotlight
Spotlight

‎10-08-2012 12:12 AM

Hello

Are you sure you are running  RDP Service in the work station and the subnet mask of the PC is 255.255.224.0 and gateway is .17 ?

regards

Harish

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-07-2012 11:15 PM

Hi,

Seems that the ASA lets the connection through just fine.

The TCP connection itself is terminated because of a SYN timeout. In other words the computer at your LAN doesnt respond to the Remote Desktop connection at all.

Have you confirmed the local computer firewall settings and settings for the Remote Desktop connections?

- Jouni

0 Helpful

Go to solution
Computer-MOI
Level 1
Level 1
In response to Jouni Forss

‎10-08-2012 12:09 AM

Thanks for your comments, yes our workstation local firewall is disabled, also I tried that with a temporary laptop but no luck!

0 Helpful

Go to solution
Harish Balakrishnan
Spotlight
Spotlight

‎10-08-2012 12:12 AM

Hello

Are you sure you are running  RDP Service in the work station and the subnet mask of the PC is 255.255.224.0 and gateway is .17 ?

regards

Harish

0 Helpful

Go to solution
Computer-MOI
Level 1
Level 1
In response to Harish Balakrishnan

‎10-08-2012 12:27 AM

Thank you very much Mr. Harish, the local gateway on the workstation was the issue, since it was set to the default one, now I have to set a manual route on the workstation itself to communicate with .17 firewall.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card