02-02-2017 11:10 AM - edited 03-12-2019 01:52 AM
Hi,
I can’t seem to get the below to work, so hopefully someone can help. The ASA has 4 live interfaces as below.
1. Outside (security 0)
2. Inside (one sub interface, security 100)
- inside_11_infrastructure
- - PAT’d to the outside interface (works)
3. Lab (with 2 sub interfaces, security 90 and security 80).
- Lab_13_LAN
- - PAT’d to the outside interface (works)
- Lab_14_DMZ
- - PAT’d to the outside interface (works)
The Lab interfaces are routable between each other, and this works correctly. The Lab subnets are not routable from the ‘inside’ network but I want RDP (3389) NAT’d to one of the inside hosts, and this is where something isn’t quite working. NAT and ACL config below, but please let me know if you need any more info.
NAT
nat (outside,inside_11_infrastructure) source dynamic ANYCONNECT_VPN_SUBNET interface
nat (inside_11_infrastructure,outside) source dynamic CC_11 interface
nat (Lab_13_LAN,outside) source dynamic LAN_13 interface
nat (Lab_14_DMZ,outside) source dynamic DMZ_14 interface
nat (Lab_13_LAN,inside_11_infrastructure) source dynamic LAN_13 interface # added as a test
nat (Lab_14_DMZ,inside_11_infrastructure) source dynamic DMZ_14 interface # added as a test
!
… # few other static NATs
object network LAB_ManagementPC
nat (Lab_13_LAN,inside_11_infrastructure) static interface service tcp 3389 3389
Access Lists
…
access-list DMZ_14_out extended permit tcp object DMZ_14 object LAN_13 eq https
access-list DMZ_14_out extended permit udp object DMZ_14 object LAN_13 eq domain
access-list DMZ_14_out extended permit udp object DMZ_14 object LAN_13 eq ntp
access-list DMZ_14_out extended permit icmp object DMZ_14 any
access-list LAN_13_out extended permit tcp object LAN_13 any eq https
access-list LAN_13_out extended permit tcp object LAN_13 any eq www
access-list LAN_13_out extended permit tcp object LAN_13 any eq ssh
access-list LAN_13_out extended permit udp object LAN_13 any eq domain
access-list LAN_13_out extended permit udp object LAN_13 any eq ntp
access-list LAN_13_out extended permit icmp object LAN_13 any
access-group inbound in interface outside
access-group LAN_13_out in interface Lab_13_LAN
access-group DMZ_14_out in interface Lab_14_DMZ
When I do a capture, while doing 'telnet ASA_inside_IP 3389', nothing comes up in the log.
Any help appreciated.
Solved! Go to Solution.
02-02-2017 12:05 PM
Where is the ACL for the inside_11_infrastructure interface?
You are using the interface IP which is already in use on the ASA and is most probably the default gateway for the inside_11_infrastructure network. For proxy ARP to work you need to configure NAT to an IP that is not in use and will not be used on the inside_11_infrastructure network, so that only the ASA will answer ARP requests.
--
Please remember to select a correct answer and rate helpful posts
02-02-2017 11:43 AM
To be clear, you are saying their is no routable path from the inside network to the lab networks? Can you change this?
02-02-2017 12:38 PM
Correct. I tried adding a static route to one host but it still doesn't work. I can then ping this host from the lab network which verifies the PAT working.
02-02-2017 12:05 PM
Where is the ACL for the inside_11_infrastructure interface?
You are using the interface IP which is already in use on the ASA and is most probably the default gateway for the inside_11_infrastructure network. For proxy ARP to work you need to configure NAT to an IP that is not in use and will not be used on the inside_11_infrastructure network, so that only the ASA will answer ARP requests.
--
Please remember to select a correct answer and rate helpful posts
02-02-2017 01:00 PM
I had an any to any ACL in there as a test but it still didn't work. Anyway, the security levels of the interfaces should allow this traffic.
Its the default gateway for some devices, only a handful.
Do you suggest I add a second IP to the inside_11_infrastructure interface? How do I then reference this second IP in the NAT statement?
02-02-2017 01:19 PM
you don't add an IP to the interface. You just change the static NAT rule to translate to another IP on the same subnet as the inside_11_infrastructure.
Also run a packet tracer to see where it is stopping up.
packet-tracer input inside_11_infrastructure tcp <source IP> 12345 <destination IP> 3389
--
Please remember to select a correct answer and rate helpful posts
02-02-2017 01:44 PM
Alright, I'll give that a go and post back.
The packet trace was failing at an implicit ACL, that's when I tried adding the permit any to 11_infrastructure.
02-02-2017 02:10 PM
That works, config below. Can you explain to me why I can't use the ASA's interface IP?
Also, why wasn't I able to capture traffic for port 3389 on the ASA with the previous config? It was as if the traffic wasn't getting there at all, probably related to the first question :|
nat (Lab_13_LAN,inside_11_infrastructure) static x.x.x.251 service tcp 3389 3389
Thanks so much Marius, much appreciated!
02-02-2017 02:34 PM
Well, theoretically you could use the interface, but I like to keep things seperate as I feel it will be easier to troubleshoot. The problem you had was that you had a dynamic NAT which is unidirectional, while static NAT is by directional. You didn't see anything in your capture because traffic is dropped before the capture is taken. You would however have seen it in the logs if you had the logging level set to informational or lower.
--
Please remember to select a correct answer and rate helpful posts
02-03-2017 12:10 AM
I still don't understand this, weren't both NAT's static?
nat (Lab_13_LAN,inside_11_infrastructure) static interface service tcp 3389 3389 (not working)
nat (Lab_13_LAN,inside_11_infrastructure) static x.x.x.251 service tcp 3389 3389 (working)
In terms of logging, I was using 'debugging' mode from ASDM, so I would've expected it to show up.
02-03-2017 12:40 AM
I am not entirely sure why it did not work. I would need to set this up in a lab to test it, and not sure when I will be able to do that.
--
Please remember to select a correct answer and rate helpful posts
02-03-2017 02:15 AM
No problem, thanks again for your help. I'm happy knowing I didn't do anything obvious wrong :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide