Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
5
Helpful
4
Replies

NAT Issue ASA 9.1

Ejaz Ahmed
Level 1
Level 1

‎06-24-2015 10:05 PM - edited ‎03-11-2019 11:11 PM

Hi Experts,

Please help me on this, I have upgraded my cisco asa from 8.2 to 9.1 version. I know that cisco made huge changes in NAT configuration. The firewall 8.2 is configured with lots  static PAT and dynamic PAT lines. Now I am going to convert these lines to 9.1 format. I have successfully configured the static PAT line, which mainly doing the port forward (ie same port number on external and internal). But i got stuck in port redirection, it is not working for me. Please see the following lines that I configured my firewall


1.  RDP connection to one of the internal machine  from external

Object network Obj_RDP_192.168.1.10

host 192.168.1.10
nat (inside, outside) static x.x.x.x

access-list outside_inside extended permit tcp any host 192.168.1.10 eq 3389


The above lines are working for me. I can RDP to the machine 192.168.1.10 from external using the public IP x.x.x.x

Now see the below command which is not working for me:


2. RDP to another internal machine  (Since the port 3389 already used for the first machine, I selected port 2000 here)

Object network Obj_RDP_192.168.1.11
1host 192.168.1.11
nat (inside, outside) static x.x.x.x service tcp 3389 2000

access-list outside_inside extended permit tcp any host 192.168.1.11 eq 2000


Please provide me a solution for the 2nd configuration line.

 

Regards,

Ejaz

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎06-26-2015 04:40 AM

Ejaz

RDP to another internal machine  (Since the port 3389 already used for the first machine, I selected port 2000 here)

I don't understand what you mean here. You are using a different public IP ie. y.y.y.y so why do you need to use a different port number ?

I am assuming y.y.y.y is another of your public IPs and part of the same IP subnet as x.x.x.x ?

That aside can you run -

"packet-tracer input outside tcp 8.8.8.8 12345 y.y.y.y 2000"

and post results.

Jon

 

0 Helpful

Ejaz Ahmed
Level 1
Level 1
In response to Jon Marshall

‎06-26-2015 04:52 AM

Thanks for the response Jon., Sorry my bad its same public IP. We have only one static public which is configured in firewall's WAN interface.

 

 

Thanks and Regards,

Ejaz

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Ejaz Ahmed

‎06-26-2015 04:55 AM

Ejaz

Okay, that's the problem.

Your first statement is a one to one mapping ie. it uses all ports so it never hits your second statement.

You need to rewrite your first statement to be a static PAT statement ie. like your second one but you can use port 3389 with the first statement, no need to translate the port.

Jon

Ejaz Ahmed
Level 1
Level 1
In response to Jon Marshall

‎06-26-2015 05:09 AM

Thank you Jon, I will Do that.

Ejaz

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card