Solved: ASA 8.4(2) STATIC NAT question

matthewbinghams6 · ‎04-02-2013

howdy all,

just want to confirm my configuration

scenario:

ASA5505 running 8.4(2)

customer has a /29 public IP allocation assigned to there connection from the ISP lets for example say this is 1.2.3.0/29

1.2.3.1 - is the gateway address the ISP has issued

1.2.3.6 - is the the public address configured on the outside interface of the ASA

customer wants to use one of the spare public IP's to do a static NAT to a device on the inside of the firewall

e.g (PUBLIC IP) 1.2.3.5 ---> (PRIVATE IP) 192.168.1.20

i have configured the following on the ASA

!

object network STATIC-NAT

host 192.168.1.20

!

object network STATIC-NAT

nat (inside,outside) static 1.2.3.5

!

access-list ACL_INBOUND extended permit tcp any host 192.168.1.20 eq 3389

!

i then try to RDP to 1.2.3.5 on the standard port 3389 and the connection fails however if i check the access list i see the hitcnt increasing; i can also ping 192.168.1.20 from the firewall so all appears well on the configuration side

ASA5505# show access-list ACL_INBOUND

access-list ACL_INBOUND line 2 extended permit tcp any host 192.168.1.20 eq 3389 (hitcnt=4) 0xb45bc99b

i just want to check my sanity to ensure my configuration is right before i ask the customer to check that remote access is enabled on the PC in question and that the windows firewall is disabled etc.

thanks in advance.

Jouni Forss · ‎04-02-2013

Hi,

I am not good at reading the CLI format of the capture. I usually copy them as .pcap files to my computer and open with Wireshark.

But it seems to me that the firewall only seens TCP SYN packet from your host 111.111.111.111 but no reply from the server.

So it should show up in the firewall logs as "SYN Timeout" teardown for a TCP connection.

- Jouni

View solution in original post

Jouni Forss · ‎04-02-2013

Hi,

Your configurations seems fine.

Check the ASA logs while testing to see if the Teardown reason for the connections is "SYN Timeou". This would mean that the server isnt either replying to the TCP connection forming or its routing towards the connection opener isnt correct. Or perhaps service isnt on or software firewall is blocking the connection.

If you want to check some NAT configuration formats, then have a look at the NAT document I created

https://supportforums.cisco.com/docs/DOC-31116

If you want to go even further with your testing/troubleshooting you can always configure a Capture on the actual ASA, test the connection and confirm if ANY return traffic is seen from the server.

If you want help with configuring and viewing the capture, let me know. Hope this helps.

- Jouni

matthewbinghams6 · ‎04-02-2013

thank you for taking time to respond to my post; i have run a packet capture ommiting the real addresses

111.111.111.111 = is me coming from my public address

1.2.3.5 = is the public address of the static NAT

so it is getting to the correct destination however i do not understand how to interpert the output any guidance will be grateful

1: 11:37:57.839235 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535

2: 11:37:58.941342 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535

3: 11:38:00.045529 802.1Q vlan#2 P0 111.111.111.111.54609 > 31.2.3.5.3389: S 469416431:469416431(0) win 65535

4: 11:38:01.148368 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535

5: 11:38:02.252779 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535

6: 11:38:03.358379 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535

7: 11:38:05.467367 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535

8: 11:38:09.687266 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535

9: 11:38:17.962093 802.1Q vlan#2 P0 111.111.111.111.54609 > 1.2.3.5.3389: S 469416431:469416431(0) win 65535

Jouni Forss · ‎04-02-2013

Hi,

I am not good at reading the CLI format of the capture. I usually copy them as .pcap files to my computer and open with Wireshark.

But it seems to me that the firewall only seens TCP SYN packet from your host 111.111.111.111 but no reply from the server.

So it should show up in the firewall logs as "SYN Timeout" teardown for a TCP connection.

- Jouni

matthewbinghams6 · ‎04-02-2013

arh yes seems you are spot on correct

so it is the end machine at 192.168.1.20 which is not responding i will speak to the client

%ASA-6-302014: Teardown TCP connection 1981550 for outside:111.111.111.111/54870 to inside:192.168.1.20/3389 duration 0:00:30 bytes 0 SYN Timeout

%ASA-7-609002: Teardown local-host inside:192.168.1.20 duration 0:00:30

Jouni Forss · ‎04-02-2013

Hi,

Would seem that the firewall doesnt in any way block the connection.

You can use "packet-tracer" command to confirm the operation of the firewall rules/configuration

For example

packet-tracer input outside tcp 111.111.111.111 12345 1.2.3.5 3389

If there would actually be some problem with some firewall configuration, this command should usually tell what the problem is. Though it can be "a little" cryptic in some situations.

But as I said it would seem that problem with this connection is somewhere else than in the firewall configurations.

- Jouni