05-16-2014 12:36 PM - edited 03-11-2019 09:12 PM
Hello All.
Consider these bits of configuration from my ASA:
ASA Version 9.1(3)
!
hostname wnsk-asa
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
object network callhost-inside
host 10.3.2.25
object network callhost-outside
host 209.198.173.58
object-group network EQUINOX
network-object host 175.146.14.236
network-object 175.77.48.96 255.255.255.224
network-object 209.198.187.0 255.255.255.0
access-list inbound12 extended permit tcp object-group EQUINOX host 10.3.2.25 eq 3389
access-list inbound12 extended permit tcp object-group EQUINOX host 10.3.2.25 eq 5900
access-list inbound12 extended permit tcp object-group EQUINOX host 10.3.2.25 eq ftp
access-list awcc_vpn extended permit ip host 10.3.2.25 host 172.31.250.150
nat (server-lan,itrunk) source static callhost-inside callhost-inside destination static awcc awcc no-proxy-arp route-lookup
!
object network wnsk
nat (server-lan,itrunk) dynamic WNSK-POOL
object network callhost-inside
nat (server-lan,itrunk) static callhost-outside
object network vpnpool
nat (itrunk,itrunk) dynamic WNSK-POOL
access-group inbound12 in interface itrunk
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
: end
When I check my setup with packet input, I get this:
wnsk-asa# packet input itrunk tcp 209.198.187.78 22222 10.3.2.25 3389
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.3.2.0 255.255.255.0 server-lan
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound12 in interface itrunk
access-list inbound12 extended permit tcp object-group EQUINOX host 10.3.2.25 eq 3389
object-group network EQUINOX
network-object host 175.146.14.236
network-object 175.77.48.96 255.255.255.224
network-object 209.198.187.0 255.255.255.0
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network callhost-inside
nat (server-lan,itrunk) static callhost-outside
Additional Information:
Result:
input-interface: itrunk
input-status: up
input-line-status: up
output-interface: server-lan
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
When I actually get on the host at 209.198.187.78 and attempt to connect to port 3389 of 209.198.173.58, it works. Packet input says it will not work. What am I getting wrong, or is the ASA tricking me?
ERM
Solved! Go to Solution.
05-16-2014 03:19 PM
In your packet-tracer string you direct the ASA to tell you about reachability of "10.3.2.25 3389". In your text you mention being able to get to "port 3389 of 209.198.173.58".
Which of those two are you trying to figure out?
05-16-2014 03:19 PM
In your packet-tracer string you direct the ASA to tell you about reachability of "10.3.2.25 3389". In your text you mention being able to get to "port 3389 of 209.198.173.58".
Which of those two are you trying to figure out?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: