12-09-2016 05:11 AM - edited 03-12-2019 01:38 AM
Hello.
I have the below problem that I am trying to solve. In an ASA cluster of two 5545-X I am trying to publish an internal server on the Internet by using a different port from the one that the service is listening. In detail I want external users to connect via RDP on port 65000 will the port on the internal server will be 3389. Although I've created static port address translation on the object and tried to make the same thing as ordinary NAT statement the connection cannot be established. If I change the respective access list and port address translation by using the same port (3389) it works fine. Is there something missing or the functionality is not supported on ASA cluster? Below are the commands that where used (Public IPs are the fake):
Commands not working
Static port address translation
access-list out-in line 1 extended permit object 65001 any object 172.31.255.4
nat (OUTSIDE,INSIDE) source static any any destination static 1.1.1.1 172.31.255.4 service 65001 3389
Object NAT port address translation
access-list out-in line 1 extended permit object 65001 any object 172.31.255.4
object network 172.31.255.4
nat (INSIDE,OUTSIDE) static 1.1.1.1 service tcp 65001 3389
Commands working
Static port address translation
access-list out-in line 1 extended permit object 3389 any object 172.31.255.4
nat (OUTSIDE,INSIDE) source static any any destination static 1.1.1.1 172.31.255.4 service 3389 3389
Object NAT port address translation
access-list out-in line 1 extended permit object 3389 any object 172.31.255.4
object network 172.31.255.4
nat (INSIDE,OUTSIDE) static 1.1.1.1 service tcp 3389 3389
Your help is much appreciated.
Thank you.
Solved! Go to Solution.
12-21-2016 03:53 AM
The good part is that NAT is happening the way we need it. Can you please make sure that we have the correct NAT statement or if already present, make sure its preferred over the . or add below NAT and test:
access-list out-in line 1 extended permit tcp any host 172.31.255.4 eq 3389
-
AJ
12-21-2016 05:09 AM
Yes, thats expected. For inbound access, we need to open access-list for real ip (172.31.255.4) and real port 3389. It will not work for port 65001 which is the mapped port.
HTH
-
AJ
12-12-2016 02:07 AM
Hello,
The NAT syntax is incorrect, please modify as below:
object network 172.31.255.4
nat (INSIDE,OUTSIDE) static 1.1.1.1 service tcp 3389 65001
HTH
-
AJ
12-21-2016 03:08 AM
Hello AJ
Thanks for your reply.
I've tested the configuration that you've posted but with no success.
12-21-2016 03:20 AM
Could you please attach a packet-tracer output for traffic being initiated from wan hitting the public ip address 1.1.1.1 on port 65001. Lets see where it drops.
-
AJ
12-21-2016 03:31 AM
Please find below the output. IPs are for reference.
packet-tracer input OUTSIDE tcp 2.2.2.2 1025 194.177.215.12$
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network ektathdc01.ektdom.local
nat (INSIDE,OUTSIDE) static EKT_ATHDCs_PAT service tcp 3389 65001
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 194.177.215.124/65001 to 172.16.0.100/3389
Phase: 2
Type: CLUSTER-EVENT
Subtype:
Result: ALLOW
Config:
Additional Information:
Input interface: 'OUTSIDE'
Flow type: NO FLOW
I (0) got initial, attempting ownership.
Phase: 3
Type: CLUSTER-EVENT
Subtype:
Result: ALLOW
Config:
Additional Information:
Input interface: 'OUTSIDE'
Flow type: NO FLOW
I (0) am becoming owner
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group out-in in interface OUTSIDE
access-list out-in extended deny ip any any log disable
Additional Information:
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Although it states that it is being denied from the out-in access list there is a corresponding ACE on this ACL
Thank you.
12-21-2016 03:53 AM
The good part is that NAT is happening the way we need it. Can you please make sure that we have the correct NAT statement or if already present, make sure its preferred over the . or add below NAT and test:
access-list out-in line 1 extended permit tcp any host 172.31.255.4 eq 3389
-
AJ
12-21-2016 04:06 AM
I've tested the access list with 3389 as the destination port and left the object NAT statement with same number for real and mapped port (3389) and works. When I change the access list and the object NAT to support 65001 there is no connection.
12-21-2016 05:09 AM
Yes, thats expected. For inbound access, we need to open access-list for real ip (172.31.255.4) and real port 3389. It will not work for port 65001 which is the mapped port.
HTH
-
AJ
12-21-2016 05:16 AM
Still doesn't work. The config is currently the below:
object network 172.31.255.4
nat (INSIDE,OUTSIDE) static 1.1.1.1 service tcp 3389 65001
access-list out-in line 1 extended permit tcp any host 172.31.255.4 eq 3389
It works only when I have the below:
object network 172.31.255.4
nat (INSIDE,OUTSIDE) static 1.1.1.1 service tcp 3389 3389
access-list out-in line 1 extended permit tcp any host 172.31.255.4 eq 3389
Which is not what I want to achieve.
Than you.
12-21-2016 05:20 AM
NAT is not a problem which is clear from packet-tracer output. The issue is access-list.
Could you please attach output of show run access-group and show run access-list out-in
HTH
-
AJ
12-21-2016 05:24 AM
Here is the abbreviated output of the show access-group
access-group out-in in interface OUTSIDE
and below is the abbreviated output of the show access-list out-in
access-list out-in extended permit tcp any host 172.31.255.4 eq 3389
Thank you.
12-21-2016 05:54 AM
It worked as you've suggested. It was a miss configuration from my side.
From what I understand ASA (for inbound packets) first checks if there is any NAT statement that matches and then checks if there is an ACE.
While for the outbound is the reverse.
Thank you very much for your help and Marry Christmas!!!
12-21-2016 10:01 PM
Hello,
For both inbound and outbbound connections, the destination NAT happens first and then acl is checked. Source NAT is performed after acl check.
Merry Christmas!!
-
AJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide