Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4952
Views
35
Helpful
16
Replies

ASA Port Forwarding Issue

robert3kennedy
Level 1
Level 1

‎01-02-2020 07:00 AM

Hi, Im looking for a bit of assistance, Im pretty sure im making a silly mistake somewhere.  I am trying to allow port 3389 through ASA to a host for RDP.  I will eventually tie it down so it can only be accessed from one location.

 

ASA Version 9.8(2)38

ASDM Version 7.8(1)

Screenshots of NAT and ACL rules attached.  It is failing the packet tracer on the ASA at the NAT section.

 

Any help appreciated.


Thanks

Labels:
Preview file
18 KB
0 Helpful
16 Replies 16

Karsten Iwen
VIP
VIP
In response to robert3kennedy

‎01-03-2020 08:24 AM

so the translation seems to be in place. But not in a way that corresponds to your above config. In your nat-statement you have

nat (INSIDE,OUTSIDE) ...

and the XLATE should read

TCP PAT from INSIDE:192.168.50.50 3389-3389 to OUTSIDE:217.39.144.61 3389-3389

And the packet-tracer should list the UN-NAT in Phase 2 (an example from my ASA):

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network WIN-SERVER
 nat (inside,outside) static interface service tcp 3389 3389
Additional Information:
NAT divert to egress interface inside
Untranslate 192.0.2.100/3389 to 10.1.1.21/3389

In this working scenario, my NAT-statement, XLATE, and packet-tracer-command are the following. Compare that to your config and testing:

object network WIN-SERVER
 host 10.1.1.21
object network WIN-SERVER
 nat (inside,outside) static interface service tcp 3389 3389

TCP PAT from inside:10.1.1.21 3389-3389 to outside:192.0.2.100 3389-3389
packet-tracer input outside tcp 1.2.3.4 1234 192.0.2.100 3389

 

robert3kennedy
Level 1
Level 1
In response to Karsten Iwen

‎01-03-2020 10:35 AM

TCP PAT from INSIDE:192.168.50.50 3389-3389 to OUTSIDE:X.X.X.X 3389-3389

is now how the XLATE presents,

 

However, when running the packet trace, still no change, and no UN-NAT at phase 2

 


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop X.X.X.X using egress ifc identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

Current relevant config

 

object service RDP
service tcp destination eq 3389
description RDP
object network RDP_HOST
host 192.168.50.50
!
object network RDP_HOST
nat (INSIDE,OUTSIDE) static interface service tcp 3389 3389

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card