Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1847
Views
0
Helpful
4
Replies

ASA - Port Forwarding from Outside to DMZ not working

faizal_vi
Level 1
Level 1

‎09-07-2010 12:54 AM - edited ‎03-11-2019 11:35 AM

Hi,

I am facing some problem accesing one server in the DMZ from outside. Please see the attched file for the config.

I am using a public IP BBB.CCC.58.214 to access the server 10.204.18.201 . Currently for testing purpose i am trying to RDP to this particualr server.I have done all the necessary config to make this work.But due to some unknown issues it is not working. Even the access-list hits for this particular IP is 0.

Needs experts comments.

Faizal

Labels:
71659-asa.log.zip
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-07-2010 04:40 AM

If the ACL hitcount is 0 that means that the traffic is not even coming into the ASA firewall.

I would suggest that you perform a "clear arp" on the next hop router, and/or reloading the router, and also make sure that no other device is using the public ip address of BBB.CCC.58.214.

If you have access to the next hop router, pls make sure that the ARP entry for BBB.CCC.58.214 points towards the ASA outside interface mac address.

Hope that helps.

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎09-07-2010 04:42 AM

Hello,

If the access-list hit is "0", most likely it is an ISP issue. Please check

with the ISP to make sure that the upstream router has proper ARP entry

(your outside interface MAC for that IP) and also that they are forwarding

all packets for that IP to your ASA.

Regards,

NT

0 Helpful

faizal_vi
Level 1
Level 1
In response to Nagaraja Thanthry

‎09-07-2010 09:46 AM

Hi,

While working this problem I made a change in the above config as below .This was done for testing.

Instead of the static nat ........

static (dmz,outside) tcp BBB.CCC.58.214 3389 10.204.18.201 3389 netmask 255.255.255.255

I made a change like

static (dmz,outside) BBB.CCC.58.214 10.204.18.201 netmask 255.255.255.255

At this time ping was working..Will ISP issues make Ping work......

Faizal

0 Helpful

bknoblau
Level 1
Level 1
In response to faizal_vi

‎09-07-2010 10:25 AM

Hello,

Ping started working because the previous static statement only permitted port 3389 traffic through.  The more general static statement allows the translation to occur on all ports, including ICMP.  What the successful pings does show is that the translation is functioning correctly on the ASA.  Most likely, the RDP packets are either being dropped before the firewall or the DMZ server isn't responding properly to the requests.  To find out exactly what is going on, place a packet capture on the ASA.  This will show you exactly where the RDP packets are being dropped or if they are making it to the firewall at all.

To configure the packet captures on the ASA:

access-list capture permit tcp any host BBB.CCC.58.214 eq 3389

access-list capture permit tcp host BBB.CCC.58.214 any eq 3389

access-list capture permit tcp any host 10.204.18.201 eq 3389

access-list capture permit tcp host 10.204.18.201 any eq 3389

capture out access-list capture interface outside

capture dmz access-list capture interface dmz

To view the captures:

show capture out

show capture dmz

Regards,

BK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card