Please help me on this, I have upgraded my cisco asa from 8.2 to 9.1 version. I know that cisco made huge changes in NAT configuration. The firewall 8.2 is configured with lots static PAT and dynamic PAT lines. Now I am going to convert these lines to 9.1 format. I have successfully configured the static PAT line, which mainly doing the port forward (ie same port number on external and internal). But i got stuck in port redirection, it is not working for me. Please see the following lines that I configured my firewall
1. RDP connection to one of the internal machine from external
Object network Obj_RDP_192.168.1.10
nat (inside, outside) static x.x.x.x
access-list outside_inside extended permit tcp any host 192.168.1.10 eq 3389
The above lines are working for me. I can RDP to the machine 192.168.1.10 from external using the public IP x.x.x.x
Now see the below command which is not working for me:
2. RDP to another internal machine (Since the port 3389 already used for the first machine, I selected port 2000 here)
Object network Obj_RDP_192.168.1.11
nat (inside, outside) static x.x.x.x service tcp 3389 2000
access-list outside_inside extended permit tcp any host 192.168.1.11 eq 2000
Please provide me a solution for the 2nd configuration line.
RDP to another internal machine (Since the port 3389 already used for the first machine, I selected port 2000 here)
I don't understand what you mean here. You are using a different public IP ie. y.y.y.y so why do you need to use a different port number ?
I am assuming y.y.y.y is another of your public IPs and part of the same IP subnet as x.x.x.x ?
That aside can you run -
"packet-tracer input outside tcp 126.96.36.199 12345 y.y.y.y 2000"
and post results.
Thanks for the response Jon., Sorry my bad its same public IP. We have only one static public which is configured in firewall's WAN interface.
Thanks and Regards,
Okay, that's the problem.
Your first statement is a one to one mapping ie. it uses all ports so it never hits your second statement.
You need to rewrite your first statement to be a static PAT statement ie. like your second one but you can use port 3389 with the first statement, no need to translate the port.