10-10-2012 04:18 AM - edited 03-11-2019 05:06 PM
I All
I'm trying to do a simple port forward on an ASA 5515-x software version 8.6(1)
Outside interface:
name-if: outside-gc
ip: 77.243.x.x
Inside interface:
name-if: inside
ip: 10.31.45.4
inside lan = 10.31.0.0/16
route table:
route outside-gc 0.0.0.0 0.0.0.0 77.243..x.x 1 1
route inside 10.31.0.0 255.255.0.0 10.31.45.1 1
Inside server:
Ip: 10.31.48.96 - ASA can ping this server (routing is working)
----
Nat/pat setup:
object network JV-LAN-WWW
subnet 10.31.0.0 255.255.0.0
nat (inside,outside-gc) dynamic interface (inside hosts overload outside-gc interface ip - its working..)
Port Forwarding:
object network obj-10.31.48.96
nat (any,outside-gc) static interface service tcp 3389 3389
access-list Outside_access_in extended permit tcp any host 10.31.48.96 eq 3389
The above configuration should port forward tcp 3389 to inside server 10.31.48.96 - but insted of showing the asa inside IP (10.31.45.4) to the server - it shows the public ip of the client trying to access outside-gc:3389 - since the inside server don't know how to route back to the requester public ip there will be a SYN timeout on the syslog on the ASA.
Why is the ASA show the public ip of the requester insted of it inside interface with a randon port number to the inside server??
SYSLOG:
6 Oct 10 2012 03:48:50 302013 2.128.149.39 39499 10.31.48.96 3389 Built inbound TCP connection 27750 for outside-gc:2.128.149.39/39499 (2.128.149.39/39499) to inside:10.31.48.96/3389 (77.243.x.x/3389)
6 Oct 10 2012 03:49:20 302014 2.128.149.39 39499 10.31.48.96 3389 Teardown TCP connection 27750 for outside-gc:2.128.149.39/39499 to inside:10.31.48.96/3389 duration 0:00:30 bytes 0 SYN Timeout
Capture from server:
92 12:35:39 10-10-2012 1.9467066 2.128.149.39 10.31.48.96 TCP TCP:Flags=......S., SrcPort=46898, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=3177959598, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:17, IPv4:37}
93 12:35:39 10-10-2012 1.9467647 10.31.48.96 2.128.149.39 TCP TCP:Flags=...A..S., SrcPort=MS WBT Server(3389), DstPort=46898, PayloadLen=0, Seq=2002762895, Ack=3177959599, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 {TCP:17, IPv4:37}
If the TCP 3389 packet to the server was comming from 10.31.45.4:xxx the server would know how to route back and it would work..
What do I do wrong?
Regards, Steffen
Solved! Go to Solution.
10-10-2012 05:29 AM
If you want to NAT the internet host to the inside interface of the ASA, you should be able to configure this:
object network internet-hosts
subnet 0.0.0.0 0.0.0.0
nat (outside-gc,inside) dynamic interface
10-10-2012 04:31 AM
Of course it is showing the public ip address of the requester, because the NATing is done for the inside server, not for the host ip address on the internet.
Why doesn't the inside server knows how to route back to the internet? the default gateway of the server is not pointing towards the ASA inside interface?
Are you trying to NAT both the inside server as well as the client on the internet?
10-10-2012 05:16 AM
No the default gateway not poiting back to the ASA where the request is comming from - its pointing to the production ASA. The ASA where the request is comming from is in test/configuring phase right now.
Is it just because the default gateway of the server is not the requesting ASA it doesn't work?
10-10-2012 05:18 AM
Yes, you are absolutely correct. Because the default gateway of the server does not point back to the ASA, the SYN-ACK packet went to the production ASA, hence this new ASA is seeing "SYN timeout" as it doesn't receive the SYN-ACK packet.
10-10-2012 05:21 AM
Okay - I was expected it to be the "requesting" ASA inside interface with a random port number...
10-10-2012 05:29 AM
If you want to NAT the internet host to the inside interface of the ASA, you should be able to configure this:
object network internet-hosts
subnet 0.0.0.0 0.0.0.0
nat (outside-gc,inside) dynamic interface
10-10-2012 05:32 AM
Thank you for your help Jennifer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide