03-15-2011 06:12 PM - edited 03-11-2019 01:07 PM
Hi, I am new to ASA specially 8.3. I have configured static NAT with port translation as per the following: The traffic flow is from outside to DMZ on port 3389.
Object network Terminal-Server
host 10.0.22.51
Object network Streamer
host 10.0.22.50
Object network Terminal-Server
nat (DMZ,outside) static 192.168.1.1 service tcp 3389 3389
Object network Streamer
nat (DMZ,outside) static 192.168.1.1 service tcp www www
access-list outside_access_in extended permit tcp any object Terminal-Server eq 3389
access-list outside_access_in extended permit tcp any object Streamer eq www
When tryign to RDP to 192.168.1.1 on port 3389 the log on the ASA says:
Inbound TCP connection denied from x.x.x.x/52413 to 192.168.1.1/3389 flag SYN on interface outside
Can someone please point what I am doing wrong?
Thanks
03-15-2011 06:20 PM
Can you confirm if your access-list is applied to the outside interface:
access-group outside_access_in in interface outside
Also, is 192.168.1.1 a spare ip address in the same subnet as the outside interface?
03-15-2011 06:37 PM
Thanks for the reply Jennifer,
I can confirm that it's.
ASA# sh run access-group
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside
The 192.168.1.1 is part of a subnet that is routed to the firewall and not used anywhere else but it's not in the same subnet as the outside interface. The outside interface is 192.168.1.248.0/29.
I have also configured Clientless SSL VPN on this ASA and it stopped authenticating users when trying to loing. I had to reboot it and it is fixed now, so not sure why that happened.
Thanks
03-15-2011 06:47 PM
Might need to see the complete ACL to see why it's being denied.
Do you happen to have any "deny" statement above the specific "permit" that might be denying the traffic?
03-15-2011 07:53 PM
Thanks for your help, my bad as I had a nat pool with the IP address used for static NAT. I have removed this nad everyting is working fine.
However Clinetless SSL VPN is not authenticating users after a while when they are logged in, it simply says login failed and reprompts for username and password. The same username and password can be used to telnet to ASA and it works fine. Last time I rebooted the ASA which fixed the problem but I can't do this everytime this happens.
Do you know what could be causing this?
Thanks
03-15-2011 09:59 PM
How many SSL VPN license do you have?
Have you exhausted the number of concurrent SSL VPN connections?
Can you share a copy of "show version" and also the output of "sh vpn-sessiondb summary"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide