04-20-2011 02:29 PM - edited 03-11-2019 01:24 PM
Good afternoon,
I have a single ASA 5505, IOS 8.4, and I am trying to forward RDP traffic to an internal server. This is a very simple setup with no prior access-lists, VPNs, or anything else. The only extra configuration is a Guest VLAN, with security 50.
Here's the configuration that I have:
________________________________________________
interface Vlan1
nameif inside
security-level 100
ip address 10.72.132.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 76.79.X.X 255.255.255.252
!
interface Vlan3
no forward interface Vlan1
nameif Guest
security-level 50
ip address 172.16.254.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
object network Fileserver
host 10.72.132.7
!
access-list OutsideToIn extended permit tcp any host 10.72.132.7 eq 3389
!
nat (inside,outside) source dynamic any interface
nat (Guest,outside) source dynamic any interface
!
object network obj_any
nat (inside,outside) dynamic interface
object network Fileserver
nat (inside,outside) static interface service tcp 3389 3389
access-group OutsideToIn in interface outside
________________________________________________
When I do a show access-list, it shows no hits.
When I run packet tracer, I get this:
______________________________________________
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.72.132.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OutsideToIn in interface outside
access-list OutsideToIn extended permit tcp any host 10.72.132.7 eq 3389
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcaa00ad0, priority=13, domain=permit, deny=false
hits=0, user_data=0xc8edc7b0, cs_id=0x0, use_real_addr, flags=0x0, proto col=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.72.132.7, mask=255.255.255.255, port=3389, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcac55ef8, priority=0, domain=inspect-ip-options, deny=true
hits=137627, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcac59058, priority=0, domain=host-limit, deny=false
hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcac87e78, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xcac873b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
______________________________________________
This clearly shows that it's a NAT issue, but I'm not exactly sure what modifications I need to make. Any ideas?
Thank you.
Solved! Go to Solution.
04-20-2011 04:21 PM
Hi Logan,
So basically, the problem here is that you have configured an auto-nat rule for the static.
In 8.4, manual nat's take first preference, and then auto-nat.
So as a result traffic is hitting the manual-nat dynamic any interface, and thus getting dropped.
Copy paste the following commands to fix the issue:
object network Fileserver
no nat (inside,outside) static interface service tcp 3389 3389
!
object service tcp_3389
service tcp source eq 3389
exit
!
nat (inside,outside) 1 source static Fileserver interface service tcp_3389 tcp_3389
Now your NAT should work fine.
Basically, I have taken the auto nat rule out, and converted it into a manual nat rule, which i have put at the top of the manual nat list.
Hope this helps.
-Shrikant
P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.
04-20-2011 04:21 PM
Hi Logan,
So basically, the problem here is that you have configured an auto-nat rule for the static.
In 8.4, manual nat's take first preference, and then auto-nat.
So as a result traffic is hitting the manual-nat dynamic any interface, and thus getting dropped.
Copy paste the following commands to fix the issue:
object network Fileserver
no nat (inside,outside) static interface service tcp 3389 3389
!
object service tcp_3389
service tcp source eq 3389
exit
!
nat (inside,outside) 1 source static Fileserver interface service tcp_3389 tcp_3389
Now your NAT should work fine.
Basically, I have taken the auto nat rule out, and converted it into a manual nat rule, which i have put at the top of the manual nat list.
Hope this helps.
-Shrikant
P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.
04-20-2011 06:42 PM
Shrikant,
Thank you very much, this fixed it!!! The way you explain it makes it seem so simple. It will take a bit getting used to the new Object oriented rules. Thanks again!
Logan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide