Re: Cisco ASA NAT issue - Page 2

stevenh-miller · ‎01-13-2025

Hi all,

So we have an issue on one of our networks that we are trying make work. This is in relation to a request for a basic NAT set up for RDP.

Scenario is as follows:

-A server sitting in AWS environment needs to access a server on a DMZ hanging off a Cisco ASA firewall by RDP at an end site

-The end site ASA connects to an AWS CSR via VPN

-The routing on the ASA is in place for the DMZ network and inside network

-Traffic works fine from the AWS server to the end site inside network

-The requirement is to NAT the single rdp connection from AWS server coming into the outside interface and use an address on the inside network to NAT to the DMZ server (we cant use the outside interface address)

The ACL on the ASA is open to all connections from AWS to the inside network.

We have tried an auto NAT entry as follows using example IP addresses:

object network DMZ_Server

host 10.5.32.70

nat (dmz,outside) static 10.70.44.50

With all ACLs allowing traffic the RDP connection fails and the packet tracer shows the phase 2 dropping on the ACL and hitting the default deny rule despite the traffic being allowed in the generic allow rule. The NAT is doing 'un-nat'

We have also tried doing the NAT from the outside to the DMZ but then the NAT rule is not hit at all.

Should we be doing the NAT rule in a different way if we are trying to use the inside network to NAT to the dmz?

I need urgent help on this as its holding up a project, I just dont know what im missing

thanks

Steve

MHM Cisco World · ‎01-13-2025

Use capture in DMZ interface see if traffic pass to server or not.

And yes NAT must see some hit' this also other issue which is order of NAT you need to use manual not auto NAT' did you add NAT as I suggested before??

MHM

stevenh-miller · ‎01-13-2025

Yes I did, its manual NAT not using the object as you suggested. I can rdp from the aws server to another server on the inside interface but the NAT is not being hit when I try hit the inside network address im using for translation

So my NAT statement definitely needs to be from outside to inside zones and not inside to dmz?

MHM Cisco World · ‎01-13-2025

I will check this

Thanks for waiting

MHM

MHM Cisco World · ‎01-15-2025

there are two NAT'

One for server in dmz and other no-nat (nat exception)' these must be in order.

No-nat must be push after Server NAT.

Note:- check how I config NAT for server

MHM

Jonatan Jonasson · ‎01-13-2025

just to be sure, because you mention that you have ACL in the outside access list that allow traffic to the internal nat address.

Does the outside ACL include access to 10.5.32.70, or does the outside acl only include entries for 10.70.44.x ?

Because in general, the outside (inbound) acl needs to specify the real/internal IP address in the destination, not the NAT IP address.

---
Please mark helpful answers & solutions
---

paul driver · ‎01-15-2025

Hello @stevenh-miller

Assumption is:
Interfaces = DMZ/OUT
10.5.32.70 = real srv ip
10.70.44.50 = mapped srv ip

if so and providing you have the correct acl/group in place the following should work but make sure to state a nat position in the nat section so its takes precedence over rule in the same section or section 3 after-auto manual nat, below im using auto nat section 2 via object just as in your OP

Example:
sh nat detail

object network DMZ_EXT_Server
host 10.70.44.50

object network DMZ_Server
host 10.5.32.70
nat (dmz,outside) 1 static DMZ_EXT_Server service tcp 3389 3389

or
nat (dmz,outside) 1 static 10.70.44.50 service tcp 3389 3389

basic acl/group
access-list 100 extended permit tcp any object DMZ_Server eq 3389
or
access-list 100 extended permit tcp any any eq 3389

access-group 100 in interface OUT

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul