Solved: multi port forwarding ASA 5510

Exonix · ‎12-05-2017

Hello,

i'm trying to configure RDP access to two internal hosts. There is a config of ASA:

Cisco Adaptive Security Appliance Software Version 9.1(7)15
Device Manager Version 7.8(2)151

System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 WAN 10.254.1.200 255.255.255.0 CONFIG
Ethernet0/1 LAN-MSP 172.16.16.254 255.255.255.0 CONFIG
Ethernet0/3 LAN-AD 10.255.8.254 255.255.255.0 CONFIG
object network NUC-16
host 172.16.16.222
object network LAN-MSP
subnet 172.16.16.0 255.255.255.0
object network NUC-8
host 10.255.8.222
object network LAN-AD
subnet 10.255.8.0 255.255.255.0
access-list ALLOW-LAN extended permit ip any any
access-list ALLOW-RDP-NUC-16 extended permit tcp any object NUC-16 eq 3389
access-list ALLOW-RDP-NUC-8 extended permit tcp any object NUC-8 eq 3388
object network NUC-16
nat (LAN-MSP,WAN) static interface service tcp 3389 3389
object network LAN-MSP
nat (LAN-MSP,WAN) dynamic interface
object network NUC-8
nat (LAN-AD,WAN) static interface service tcp 3389 3388
object network LAN-AD
nat (LAN-AD,WAN) dynamic interface
access-group ALLOW-RDP-NUC-16 in interface WAN
access-group ALLOW-LAN in interface LAN-MSP
access-group ALLOW-LAN in interface LAN-AD
route WAN 0.0.0.0 0.0.0.0 10.254.1.1 1

With this config I can connect to host NUC-16 but i can't connect to host NUC-8. When bind the rule ALLOW-RDP-NUC-8 to WAN interface then it overwrites the rule ALLOW-RDP-NUC-16. The same task I can easy perform in Cisco 7206:

ip nat inside source static tcp 10.255.8.222 3389 10.254.1.200 3389
ip nat inside source static tcp 172.16.16.222 3389 10.254.1.200 3388

How can I perform the same in ASA 5510?

Thank you!

Exonix · ‎12-06-2017

finally, here is working configuration:

object network LAN-MSP
subnet 172.16.16.0 255.255.255.0
object network LAN-AD
subnet 10.255.8.0 255.255.255.0
object network NUC-16
host 172.16.16.222
object network NUC-8
host 10.255.8.222
access-list ALLOW-RDP-NUC extended permit tcp any object NUC-16 eq 3389
access-list ALLOW-RDP-NUC extended permit tcp any object NUC-8 eq 3389
!
object network LAN-MSP
nat (LAN-MSP,WAN) dynamic interface
object network LAN-AD
nat (LAN-AD,WAN) dynamic interface
object network NUC-16
nat (LAN-MSP,WAN) static interface service tcp 3389 3389
object network NUC-8
nat (LAN-AD,WAN) static interface service tcp 3389 3388
access-group ALLOW-RDP-NUC in interface WAN
route WAN 0.0.0.0 0.0.0.0 10.254.1.1 1

in Access Rule I had to define the internal port of client. The external port is defined in the NAT-object for this client.

View solution in original post

Rahul Govindan · ‎12-06-2017

Yes, this is what I had posted in my initial reply:

access-list ALLOW-RDP-NUC extended permit tcp any object NUC-16 eq 3389
access-list ALLOW-RDP-NUC extended permit tcp any object NUC-8 eq 3389
access-group ALLOW-RDP-NUC in interface WAN

ACL's reference internal ip and ports starting from version 8.3 onward. Glad everything is working for you now.

View solution in original post

Rahul Govindan · ‎12-05-2017

You can only have one access-list in a direction on an interface. So try doing this:

access-list ALLOW-RDP-NUC extended permit tcp any object NUC-16 eq 3389
access-list ALLOW-RDP-NUC extended permit tcp any object NUC-8 eq 3389

access-group ALLOW-RDP-NUC in interface WAN

Exonix · ‎12-05-2017

yes, i have done it, but I still can't connect.
Also, i have only changed 3389 port to 3388 in the working configuration for host NUC-16 - it doesn't work.

Rahul Govindan · ‎12-05-2017

Try running a packet tracer on the ASA and see where the failure is:
packet-tracer input WAN tcp 1.1.1.1 12345 <interface-ip> 3388 detailed

Exonix · ‎12-06-2017

FRA-ASA1# packet-tracer input WAN tcp 10.254.1.75 12345 10.254.1.200 3388

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network NUC-8
nat (LAN-AD,WAN) static interface service tcp 3389 3388
Additional Information:
NAT divert to egress interface LAN-AD
Untranslate 10.254.1.200/3388 to 10.255.8.222/3389

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: LAN-AD
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

But I have an access rule, haven't I ? :

access-list ALLOW-RDP-NUC extended permit tcp any object NUC-8 eq 3388

Exonix · ‎12-06-2017

finally, here is working configuration:

object network LAN-MSP
subnet 172.16.16.0 255.255.255.0
object network LAN-AD
subnet 10.255.8.0 255.255.255.0
object network NUC-16
host 172.16.16.222
object network NUC-8
host 10.255.8.222
access-list ALLOW-RDP-NUC extended permit tcp any object NUC-16 eq 3389
access-list ALLOW-RDP-NUC extended permit tcp any object NUC-8 eq 3389
!
object network LAN-MSP
nat (LAN-MSP,WAN) dynamic interface
object network LAN-AD
nat (LAN-AD,WAN) dynamic interface
object network NUC-16
nat (LAN-MSP,WAN) static interface service tcp 3389 3389
object network NUC-8
nat (LAN-AD,WAN) static interface service tcp 3389 3388
access-group ALLOW-RDP-NUC in interface WAN
route WAN 0.0.0.0 0.0.0.0 10.254.1.1 1

in Access Rule I had to define the internal port of client. The external port is defined in the NAT-object for this client.

Rahul Govindan · ‎12-06-2017

Yes, this is what I had posted in my initial reply:

access-list ALLOW-RDP-NUC extended permit tcp any object NUC-16 eq 3389
access-list ALLOW-RDP-NUC extended permit tcp any object NUC-8 eq 3389
access-group ALLOW-RDP-NUC in interface WAN

ACL's reference internal ip and ports starting from version 8.3 onward. Glad everything is working for you now.