Cisco ASA NAT issue

stevenh-miller · ‎01-13-2025

Hi all,

So we have an issue on one of our networks that we are trying make work. This is in relation to a request for a basic NAT set up for RDP.

Scenario is as follows:

-A server sitting in AWS environment needs to access a server on a DMZ hanging off a Cisco ASA firewall by RDP at an end site

-The end site ASA connects to an AWS CSR via VPN

-The routing on the ASA is in place for the DMZ network and inside network

-Traffic works fine from the AWS server to the end site inside network

-The requirement is to NAT the single rdp connection from AWS server coming into the outside interface and use an address on the inside network to NAT to the DMZ server (we cant use the outside interface address)

The ACL on the ASA is open to all connections from AWS to the inside network.

We have tried an auto NAT entry as follows using example IP addresses:

object network DMZ_Server

host 10.5.32.70

nat (dmz,outside) static 10.70.44.50

With all ACLs allowing traffic the RDP connection fails and the packet tracer shows the phase 2 dropping on the ACL and hitting the default deny rule despite the traffic being allowed in the generic allow rule. The NAT is doing 'un-nat'

We have also tried doing the NAT from the outside to the DMZ but then the NAT rule is not hit at all.

Should we be doing the NAT rule in a different way if we are trying to use the inside network to NAT to the dmz?

I need urgent help on this as its holding up a project, I just dont know what im missing

thanks

Steve

MHM Cisco World · ‎01-13-2025

10.70.44.50 <<- this IP of outside interface?

Can I see ACL

MHM

stevenh-miller · ‎01-13-2025

No its the inside network address

MHM Cisco World · ‎01-13-2025

Ohh OK' so why you not add DMZ server into ACL of VPN' here you will not need anymore hairpin NAT.

MHM

stevenh-miller · ‎01-13-2025

So the server that sits on the DMZ is a different customer and they want it to be Nat'd using the inside network address space so that AWS doesnt have to have routing to the DMZ customer

MHM Cisco World · ‎01-13-2025

nat (outside,inside) static source <remote LAN> <remote LAN> <Inside Server mapped IP> <DMZ server real IP>

try above NAT hope it will work

thanks

MHM

stevenh-miller · ‎01-13-2025

Ok so the NAT is working as it did when we used auto nat but the acl is still dropping, we have an open rule allowing all ip traffic from the AWS subnet to the internal subnets but even when we place a specific acl on port 3389 from outside address to the NAT address of the inside network it doesnt hit the acl and just drops to the deny any rule for the outside acl, any ideas?

MHM Cisco World · ‎01-13-2025

Are DMZ and Inside have same secuirty level ?

MHM

stevenh-miller · ‎01-13-2025

yes they do

MHM Cisco World · ‎01-13-2025

Use then

Same secuirty traffic permit inter-interface

MHM

stevenh-miller · ‎01-13-2025

Added that command same issue, acl drop. So this is the output of packet tracer:

phase 1

type un-nat

result allow

untranslate (inside network address) to (DMZ real address)

phase 2

Type access-list

subtype log

result drop

config

access-list outside_access_in in interface outside

access-list outside_access_in extended deny ip any any log

We have acl's in that outside access list that allow traffic from outside server to the internal nat address on tcp port 3389 but that acl is not being hit. ?

MHM Cisco World · ‎01-13-2025

Clear conn <ip of server >

And dont so trust on packet tracer' make remote usee try access to server in dmz and check.

MHM

stevenh-miller · ‎01-13-2025

No it doesnt work. If I do a packet tracer to any other address on that network it just uses the open acl. It has something to do with that NAT which is forcing the acl to drop, I just cant work it out

stevenh-miller · ‎01-13-2025

And I always try the rdp connection from the server also when I try the NAT rule isnt being hit

stevenh-miller · ‎01-13-2025

Is it possible then that the rdp traffic is not reaching the ASA if the NAT is not being hit?