Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
0
Helpful
1
Replies

ASA 9 Port forwarding problem

Go to solution
Ivan Kurguzov
Level 1
Level 1

‎09-26-2014 03:23 AM - edited ‎03-11-2019 09:49 PM

Hello.

Need help.

There is a simple task - to publish port #3389 to the Internet (through the outside interface and address 195.xxx.). The port belongs to a host on the internal network (192.168.00/23).

Equipment - ASA 5510 9.0 (1)

Here are the contents of the config:

object network 1921681222
 host 192.168.1.222

object service rdp
 service tcp destination eq 3389 

object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
object-group network DM_INLINE_NETWORK_11rw
 network-object object 192168010
 network-object object 19216806
 network-object object 192168012
 network-object object 1921681222
access-list INSIDE_access_in extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_11 any
access-list OUTSIDE1_access_in_1 extended permit object rdp any object 1921681222
object network 1921681222
 nat (INSIDE,OUTSIDE1) static interface service tcp 3389 3389

Results of Packet-tracer:

asaGW1# packet-tracer input OUTSIDE1 tcp 1.1.1.1 15678 195.112.112.116 3389

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 1921681222
 nat (INSIDE,OUTSIDE1) static interface service tcp 3389 3389 
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 195.112.112.116/3389 to 192.168.1.222/3389

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE1_access_in_1 in interface OUTSIDE1
access-list OUTSIDE1_access_in_1 extended permit object rdp any object 1921681222 
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
<--- More --->
              
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network 1921681222
 nat (INSIDE,OUTSIDE1) static interface service tcp 3389 3389 
<--- More --->
              
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 63185, packet dispatched to next module
              
Result:
input-interface: OUTSIDE1
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow

The problem is that the packets do not reach the host. Wireshark on the host sees only ARP or ICMP packets. ASA is set as a default gateway on the host.  Anti-virus and firewall are disabled.

What could cause the problem?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎09-26-2014 03:31 AM

I suggest setting up a packet capture between the two hosts on the outside interface and the inside interface.  Then try to establish an RDP session to the local server and check the output of the packet capture.  If you see the traffic entering the outside interface and leaving the inside interface but you see no return traffic then the issue is either on the network between the ASA and the server or the server is misconfigured.  If you do not see the traffic entering the outside interface then there could be an issue with NAT or ACL.

https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Marius Gunnerud
VIP
VIP

‎09-26-2014 03:31 AM

I suggest setting up a packet capture between the two hosts on the outside interface and the inside interface.  Then try to establish an RDP session to the local server and check the output of the packet capture.  If you see the traffic entering the outside interface and leaving the inside interface but you see no return traffic then the issue is either on the network between the ASA and the server or the server is misconfigured.  If you do not see the traffic entering the outside interface then there could be an issue with NAT or ACL.

https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card