03-20-2023 01:30 AM
Dear Community,
My client wants to open remote desktop port 3389 on the fpr1120.
I created static nat with port forward from outside to inside to forward incoming request on port 1616 to ip 192.168.**.** on port 3389 windows RDP and an acl to allow the connection from outside.
Configuration are below.
When i do packet tracer connection i being drop by acl.
I cant figure out the problem.
Any help is appreciated.
*********NAT****
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-ne
TCP PAT from outside:0.0.0.0/0 1616-1616 to ether2:192.168.**.** 3389-3389
flags srT idle 0:01:07 timeout 0:00:00
*ether2 port is part of bridge interface*
*****ACL*******
Action : Allow
Intrusion Policy : Source ISE Metadata :Source Zones : outside_zone
Destination Zones : inside_zone
Destination Networks : juli_pc (192.168.**.**)
Source Ports : 1616 (protocol 6, port 1616)
Destination Ports : 3389 (protocol 6, port 3389)
Users
URLs
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Enabled
Files : Enabled
Safe Search : No
Rule Hits : 0
File Policy : Block Malware All
Variable Set : Default-Set
***************
> packet-tracer input outside icmp 80.90.**.** 8 0 192.168.**.**
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.**.** using egress ifc inside(vrfid:0)
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005651f5cc91fa flow (NA)/NA
Solved! Go to Solution.
03-20-2023 04:42 AM
That correct you have to place the static nat rule on top if you have configured a dynmaic rule.
03-20-2023 02:44 AM - edited 03-20-2023 02:51 AM
creat two ACL. the one you already define outside to inside the other ACL you have to define Inside to outside and test again.
could you also share your nat rules please. when you do packet tracer you using outside IP address?
03-20-2023 03:03 AM
03-20-2023 03:04 AM
03-20-2023 03:07 AM
do packet-trace please
packet-tracer interface outside tcp 8.8.8.8 1234 X.X.X.X 3389
x.x.x.x is your FTD outside ip address (are you using public ip or Private IP address?)
03-20-2023 04:39 AM
yes, x.x.x.x is my FTD outside ip address.
i fixed it, tried everything but just had to change the placement of the NAT - above a specific rule - above inside_outside dynamic nat rule.
Static nat should be place above dynamic nat.
i was able to get hits on acl and connect via rdp.
Attached pics
Thanks
03-20-2023 04:42 AM
That correct you have to place the static nat rule on top if you have configured a dynmaic rule.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: