Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2205
Views
0
Helpful
6
Replies

Port Forward (PAT) Version 8.6 - Public IP is presented to server insted of nat'd ip

Go to solution
Steffen Frederiksen
Level 1
Level 1

‎10-10-2012 04:18 AM - edited ‎03-11-2019 05:06 PM

I All

I'm trying to do a simple port forward on an ASA 5515-x software version 8.6(1)

Outside interface:

name-if: outside-gc

ip: 77.243.x.x

Inside interface:

name-if: inside

ip: 10.31.45.4

inside lan = 10.31.0.0/16

route table:

route outside-gc 0.0.0.0 0.0.0.0 77.243..x.x 1 1

route inside 10.31.0.0 255.255.0.0 10.31.45.1 1

Inside server:

Ip: 10.31.48.96 - ASA can ping this server (routing is working)

----

Nat/pat setup:

object network JV-LAN-WWW

subnet 10.31.0.0 255.255.0.0

nat (inside,outside-gc) dynamic interface (inside hosts overload outside-gc interface ip - its working..)

Port Forwarding:

object network obj-10.31.48.96

nat (any,outside-gc) static interface service tcp 3389 3389

access-list Outside_access_in extended permit tcp any host 10.31.48.96 eq 3389

The above configuration should port forward tcp 3389 to inside server 10.31.48.96 - but insted of showing the asa inside IP (10.31.45.4) to the server - it shows the public ip of the client trying to access outside-gc:3389 - since the inside server don't know how to route back to the requester public ip there will be a SYN timeout on the syslog on the ASA.

Why is the ASA show the public ip of the requester insted of it inside interface with a randon port number to the inside server??

SYSLOG:

6    Oct 10 2012    03:48:50    302013    2.128.149.39    39499    10.31.48.96    3389    Built inbound TCP connection 27750 for outside-gc:2.128.149.39/39499 (2.128.149.39/39499) to inside:10.31.48.96/3389 (77.243.x.x/3389)

6    Oct 10 2012    03:49:20    302014    2.128.149.39    39499    10.31.48.96    3389    Teardown TCP connection 27750 for outside-gc:2.128.149.39/39499 to inside:10.31.48.96/3389 duration 0:00:30 bytes 0 SYN Timeout

Capture from server:

92    12:35:39 10-10-2012    1.9467066       2.128.149.39    10.31.48.96    TCP    TCP:Flags=......S., SrcPort=46898, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=3177959598, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192    {TCP:17, IPv4:37}

93    12:35:39 10-10-2012    1.9467647        10.31.48.96    2.128.149.39    TCP    TCP:Flags=...A..S., SrcPort=MS WBT Server(3389), DstPort=46898, PayloadLen=0, Seq=2002762895, Ack=3177959599, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152    {TCP:17, IPv4:37}

If the TCP 3389 packet to the server was comming from 10.31.45.4:xxx the server would know how to route back and it would work..

What do I do wrong?

Regards, Steffen



Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Steffen Frederiksen

‎10-10-2012 05:29 AM

If you want to NAT the internet host to the inside interface of the ASA, you should be able to configure this:

object network internet-hosts

   subnet 0.0.0.0 0.0.0.0

   nat (outside-gc,inside) dynamic interface

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-10-2012 04:31 AM

Of course it is showing the public ip address of the requester, because the NATing is done for the inside server, not for the host ip address on the internet.

Why doesn't the inside server knows how to route back to the internet? the default gateway of the server is not pointing towards the ASA inside interface?

Are you trying to NAT both the inside server as well as the client on the internet?

0 Helpful

Go to solution
Steffen Frederiksen
Level 1
Level 1
In response to Jennifer Halim

‎10-10-2012 05:16 AM

No the default gateway not poiting back to the ASA where the request is comming from - its pointing to the production ASA. The ASA where the request is comming from is in test/configuring phase right now.

Is it just because the default gateway of the server is not the requesting ASA it doesn't work?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Steffen Frederiksen

‎10-10-2012 05:18 AM

Yes, you are absolutely correct. Because the default gateway of the server does not point back to the ASA, the SYN-ACK packet went to the production ASA, hence this new ASA is seeing "SYN timeout" as it doesn't receive the SYN-ACK packet.

0 Helpful

Go to solution
Steffen Frederiksen
Level 1
Level 1
In response to Jennifer Halim

‎10-10-2012 05:21 AM

Okay - I was expected it to be the "requesting" ASA inside interface with a random port number...

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Steffen Frederiksen

‎10-10-2012 05:29 AM

If you want to NAT the internet host to the inside interface of the ASA, you should be able to configure this:

object network internet-hosts

   subnet 0.0.0.0 0.0.0.0

   nat (outside-gc,inside) dynamic interface

0 Helpful

Go to solution
Steffen Frederiksen
Level 1
Level 1
In response to Jennifer Halim

‎10-10-2012 05:32 AM

Thank you for your help Jennifer.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card