11-17-2013 05:22 PM - last edited on 03-25-2019 05:52 PM by ciscomoderator
This is is my first time trying to bring an ADA5505 into a network. I cannot get internet access - I also want to be able to RDP into the server from the from the outside. I used the startup wizard in the ASDM software, but still cannot get internet access....I think it has to do with NAT/PAT, but not sure where to go from here to fix this......any help is greatly appreciated - here is the the running-config....we don't need DHCP as we use it on the server and any other suggestions would be appreciated for best practices
Solved! Go to Solution.
11-18-2013 01:43 AM
Hi,
For Internet access you are lacking the default route from the ASA, add the default route with the correct gateway IP
route outside 0.0.0.0 0.0.0.0
If you are having problems with ICMP then add
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
For the NAT / Static PAT do the following changes
object network RDP
host 192.168.1.106
no nat (outside,inside) static 192.168.1.106 net-to-net service tcp 3389 3389
nat (inside,outside) static interface service tcp 3389 3389
Notice that the above changes are done under the "object". So first issue the command "object network RDP" to move into the correct configuration mode. Then you will enter the correct source "host" for the "nat" configuration. Finally you will remove the current "nat" command and enter the new "nat" command.
What the new "nat" command will do is do Static PAT (Port Forward) for the internal host 192.168.1.106 and use the public IP address of your "outside" interface because we have used the parameter "interface" in the configuration.
You will naturally also need an "access-list" to permit traffic from the external/public network. The thing to consider here is that do you know the public source IP address where the RDP Connections are coming from? Are you always connecting from the same public IP address? If you do know the source IP address then insert it to the below ACL
access-list OUTSIDE-IN remark Allow RDP connections
access-list OUTSIDE-IN permit tcp host
If you dont know the public source IP address were you connect with RDP then you will have to use the "any" instead of the "host". Though that will naturally open up this port for any public/external user to try connection to your server. In this case you would add the ACL
access-list OUTSIDE-IN permit tcp any object RDP eq 3389
With either of the above ACLs you will have to attach it to the ASA interface also with the command
access-group OUTSIDE-IN in interface outside
Naturally you also have the option to configure VPN Client on the ASA in which case you get secure access to the internal servers without opening any connections from the external/public network.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more though
- Jouni
11-18-2013 01:43 AM
Hi,
For Internet access you are lacking the default route from the ASA, add the default route with the correct gateway IP
route outside 0.0.0.0 0.0.0.0
If you are having problems with ICMP then add
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
For the NAT / Static PAT do the following changes
object network RDP
host 192.168.1.106
no nat (outside,inside) static 192.168.1.106 net-to-net service tcp 3389 3389
nat (inside,outside) static interface service tcp 3389 3389
Notice that the above changes are done under the "object". So first issue the command "object network RDP" to move into the correct configuration mode. Then you will enter the correct source "host" for the "nat" configuration. Finally you will remove the current "nat" command and enter the new "nat" command.
What the new "nat" command will do is do Static PAT (Port Forward) for the internal host 192.168.1.106 and use the public IP address of your "outside" interface because we have used the parameter "interface" in the configuration.
You will naturally also need an "access-list" to permit traffic from the external/public network. The thing to consider here is that do you know the public source IP address where the RDP Connections are coming from? Are you always connecting from the same public IP address? If you do know the source IP address then insert it to the below ACL
access-list OUTSIDE-IN remark Allow RDP connections
access-list OUTSIDE-IN permit tcp host
If you dont know the public source IP address were you connect with RDP then you will have to use the "any" instead of the "host". Though that will naturally open up this port for any public/external user to try connection to your server. In this case you would add the ACL
access-list OUTSIDE-IN permit tcp any object RDP eq 3389
With either of the above ACLs you will have to attach it to the ASA interface also with the command
access-group OUTSIDE-IN in interface outside
Naturally you also have the option to configure VPN Client on the ASA in which case you get secure access to the internal servers without opening any connections from the external/public network.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more though
- Jouni
11-18-2013 03:36 AM
Thank you very much for your patience and help - please check my current work - a few questions:
1) with the outside default route - I see in the outside route it added the number 1 on the end - I think this means default admin distance of 1 hop?
2) I think the RDP needs some more work....do i need to remove this line:
nat (inside,outside) after-auto source dynamic any interface
3) I see under policy_map global_policy it added inspect icmp and inspect icmp error - so this is working? This is for pings out side of LAN?
.....also want to setup VPN, but will need help with that too
11-18-2013 03:49 AM
Hi,
Did the connection to the Internet work after adding the default route? I didnt see anything else that should be a problem.
If you added the needed NAT and ACL Configurations then it should work unless there are some problems on the actual server.
You can try the "packet-tracer" command on the ASA to test its configurations
packet-tracer input outside tcp
Insert that matches the ACL rule you created and insert your public IP address configured on the ASA to the
Post that output
You should not remove the other "nat" configuration as that is the Dynamic PAT translation for all the LAN users towards Internet.
The ICMP inspections are basically meant to automatically allow the ICMP Echo reply back to the host on the LAN if it sends ICMP to something on the Internet.
For VPN you would have to either use the old Cisco IPSec VPN Client or Cisco AnyConnect Client depending if you have the software for that on the ASA. The actual configuration is probably best done through the Wizard and if it doesnt work then we could look at the configuration again.
- Jouni
11-18-2013 08:46 PM
It could be related to that you need to define ipv4 on the ACL but please run the packet tracer it should tell us
11-19-2013 01:55 AM
11-19-2013 02:11 AM
Hi,
What did you add?
If the "packet-tracer" goes through from the CLI and not from the ASDM then you have probably given some wrong information on the ASDM Side in its GUI.
Main thing is that connection are working. Atleast I understood so from your reply?
- Jouni
11-19-2013 02:46 AM
yes - we are working - thanks....for the packet tracer in ADMN:
For interface - select outside
Source IP - my public IP address
Source port - 12345
Destination IP: 192.168.1.106
Destination port: 3389
Is this correct?
11-19-2013 02:50 AM
Hi,
No, it should be
Please remember to mark a reply as the correct answer if it answered your question and rate helpfull answers
Though naturally ask more if there is still something that needs looking into.
- Jouni
11-19-2013 02:56 AM
That was it - it worked correctly - thanks again. I want to study some more before I attempt the VPN setup - I will open a new thread when I am ready to start - or fail
11-19-2013 02:59 AM
Hi,
Ok, lets look at the VPN setup if needed when you have had time to set it up.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide