04-02-2013 06:03 AM - edited 03-11-2019 06:22 PM
howdy all,
just want to confirm my configuration
scenario:
ASA5505 running 8.4(2)
customer has a /29 public IP allocation assigned to there connection from the ISP lets for example say this is 1.2.3.0/29
1.2.3.1 - is the gateway address the ISP has issued
1.2.3.6 - is the the public address configured on the outside interface of the ASA
customer wants to use one of the spare public IP's to do a static NAT to a device on the inside of the firewall
e.g (PUBLIC IP) 1.2.3.5 ---> (PRIVATE IP) 192.168.1.20
i have configured the following on the ASA
!
object network STATIC-NAT
host 192.168.1.20
!
object network STATIC-NAT
nat (inside,outside) static 1.2.3.5
!
access-list ACL_INBOUND extended permit tcp any host 192.168.1.20 eq 3389
!
i then try to RDP to 1.2.3.5 on the standard port 3389 and the connection fails however if i check the access list i see the hitcnt increasing; i can also ping 192.168.1.20 from the firewall so all appears well on the configuration side
ASA5505# show access-list ACL_INBOUND
access-list ACL_INBOUND line 2 extended permit tcp any host 192.168.1.20 eq 3389 (hitcnt=4) 0xb45bc99b
i just want to check my sanity to ensure my configuration is right before i ask the customer to check that remote access is enabled on the PC in question and that the windows firewall is disabled etc.
thanks in advance.
Solved! Go to Solution.
04-02-2013 07:17 AM
Hi,
I am not good at reading the CLI format of the capture. I usually copy them as .pcap files to my computer and open with Wireshark.
But it seems to me that the firewall only seens TCP SYN packet from your host 111.111.111.111 but no reply from the server.
So it should show up in the firewall logs as "SYN Timeout" teardown for a TCP connection.
- Jouni
04-02-2013 06:10 AM
Hi,
Your configurations seems fine.
Check the ASA logs while testing to see if the Teardown reason for the connections is "SYN Timeou". This would mean that the server isnt either replying to the TCP connection forming or its routing towards the connection opener isnt correct. Or perhaps service isnt on or software firewall is blocking the connection.
If you want to check some NAT configuration formats, then have a look at the NAT document I created
https://supportforums.cisco.com/docs/DOC-31116
If you want to go even further with your testing/troubleshooting you can always configure a Capture on the actual ASA, test the connection and confirm if ANY return traffic is seen from the server.
If you want help with configuring and viewing the capture, let me know. Hope this helps.
- Jouni
04-02-2013 07:12 AM
thank you for taking time to respond to my post; i have run a packet capture ommiting the real addresses
111.111.111.111 = is me coming from my public address
1.2.3.5 = is the public address of the static NAT
so it is getting to the correct destination however i do not understand how to interpert the output any guidance will be grateful
1: 11:37:57.839235 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535
2: 11:37:58.941342 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535
3: 11:38:00.045529 802.1Q vlan#2 P0 111.111.111.111.54609 > 31.2.3.5.3389: S 469416431:469416431(0) win 65535
4: 11:38:01.148368 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535
5: 11:38:02.252779 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535
6: 11:38:03.358379 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535
7: 11:38:05.467367 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535
8: 11:38:09.687266 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535
9: 11:38:17.962093 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535
04-02-2013 07:17 AM
Hi,
I am not good at reading the CLI format of the capture. I usually copy them as .pcap files to my computer and open with Wireshark.
But it seems to me that the firewall only seens TCP SYN packet from your host 111.111.111.111 but no reply from the server.
So it should show up in the firewall logs as "SYN Timeout" teardown for a TCP connection.
- Jouni
04-02-2013 07:23 AM
arh yes seems you are spot on correct
so it is the end machine at 192.168.1.20 which is not responding i will speak to the client
%ASA-6-302014: Teardown TCP connection 1981550 for outside:111.111.111.111/54870 to inside:192.168.1.20/3389 duration 0:00:30 bytes 0 SYN Timeout
%ASA-7-609002: Teardown local-host inside:192.168.1.20 duration 0:00:30
04-02-2013 07:29 AM
Hi,
Would seem that the firewall doesnt in any way block the connection.
You can use "packet-tracer" command to confirm the operation of the firewall rules/configuration
For example
packet-tracer input outside tcp 111.111.111.111 12345 1.2.3.5 3389
If there would actually be some problem with some firewall configuration, this command should usually tell what the problem is. Though it can be "a little" cryptic in some situations.
But as I said it would seem that problem with this connection is somewhere else than in the firewall configurations.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide