cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
529
Views
5
Helpful
4
Replies

NAT Issue ASA 9.1

Ejaz Ahmed
Level 1
Level 1

Hi Experts,

Please help me on this, I have upgraded my cisco asa from 8.2 to 9.1 version. I know that cisco made huge changes in NAT configuration. The firewall 8.2 is configured with lots  static PAT and dynamic PAT lines. Now I am going to convert these lines to 9.1 format. I have successfully configured the static PAT line, which mainly doing the port forward (ie same port number on external and internal). But i got stuck in port redirection, it is not working for me. Please see the following lines that I configured my firewall


1.  RDP connection to one of the internal machine  from external

Object network Obj_RDP_192.168.1.10

host 192.168.1.10
nat (inside, outside) static x.x.x.x

access-list outside_inside extended permit tcp any host 192.168.1.10 eq 3389


The above lines are working for me. I can RDP to the machine 192.168.1.10 from external using the public IP x.x.x.x

Now see the below command which is not working for me:


2. RDP to another internal machine  (Since the port 3389 already used for the first machine, I selected port 2000 here)

Object network Obj_RDP_192.168.1.11
1host 192.168.1.11
nat (inside, outside) static x.x.x.x service tcp 3389 2000

access-list outside_inside extended permit tcp any host 192.168.1.11 eq 2000


Please provide me a solution for the 2nd configuration line.

 

Regards,

Ejaz

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Ejaz

RDP to another internal machine  (Since the port 3389 already used for the first machine, I selected port 2000 here)

I don't understand what you mean here. You are using a different public IP ie. y.y.y.y so why do you need to use a different port number ?

I am assuming y.y.y.y is another of your public IPs and part of the same IP subnet as x.x.x.x ?

That aside can you run -

"packet-tracer input outside tcp 8.8.8.8 12345 y.y.y.y 2000"

and post results.

Jon

 

Thanks for the response Jon., Sorry my bad its same public IP. We have only one static public which is configured in firewall's WAN interface.

 

 

Thanks and Regards,

Ejaz

Ejaz

Okay, that's the problem.

Your first statement is a one to one mapping ie. it uses all ports so it never hits your second statement.

You need to rewrite your first statement to be a static PAT statement ie. like your second one but you can use port 3389 with the first statement, no need to translate the port.

Jon

Thank you Jon, I will Do that.

Ejaz

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: