09-15-2013 08:22 AM - edited 03-11-2019 07:38 PM
Hi there,
I have a test lab at home.
Verizon => Verizon Firewall => ASA 5505 => Computers
Right now I have access to the Internet from my computers after the ASA
I have installed ASDM 7.1 with ASA 9.1.2 but it is a shame for me I cannot work with it.
I would like to setup a port forwarding to remote desktop to one of my computers after the ASA.
Would you please advise me how can I do it through ASDM OR Putty
There is not any help for the new version of ASDM on the web
Thank You in Advance for Your Time
My ASA configuration:
=====================================
CiscoASA5505(config)# show run
: Saved
:
ASA Version 9.1(2)
!
hostname CiscoASA5505
domain-name xyx.com
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa912-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xyx.com
object network obj-192.168.20.0
subnet 192.168.20.0 255.255.255.0
object-group network static-pat
access-list outside_in extended permit icmp any4 any4 echo-reply
access-list outside_in extended deny ip any4 any4 log
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-192.168.20.0
nat (inside,outside) dynamic interface
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.20.5-192.168.20.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username sarparast password Hs/tIupNYaeztJyS encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5d50f214ec6a6a34d3186bc61e63bc09
: end
=======================================
Solved! Go to Solution.
09-15-2013 08:26 AM
Hi,
You would need to configure something like this
object network PC
host 192.168.20.x
nat (inside,outside) static interface service tcp 3389 3389
access-list outside_in line 1 remark Allow RDP
access-list outside_in line 2 permit tcp any object PC eq 3389
The problem to me seems to be that you might have another device in front of the ASA which holds the actual public IP address?
If that is the case then you would have to do Static PAT (Port Forward) on that device too.
- Jouni
09-15-2013 08:26 AM
Hi,
You would need to configure something like this
object network PC
host 192.168.20.x
nat (inside,outside) static interface service tcp 3389 3389
access-list outside_in line 1 remark Allow RDP
access-list outside_in line 2 permit tcp any object PC eq 3389
The problem to me seems to be that you might have another device in front of the ASA which holds the actual public IP address?
If that is the case then you would have to do Static PAT (Port Forward) on that device too.
- Jouni
09-15-2013 09:39 AM
Hi Jouni,
Thank you so much for your reply.
Actually I knew the part between my home firewall and the ASA
it is working now.
Again Thanks a lot
12-01-2013 08:05 PM
Hello Jouni,
Someting strange happend in my place, suddenly I lost my internet connection. I reboot my firewall, and after 10 minutes I checked my test network after ASA5505
my computers do not have access to internet !!!??????
I guess when I applied your instruction previously I did not save my runnig config.
I added your instruction again but still I do not have access to internet.
Map:
Verrizon -> Firewall -> ASA -> My Test Lab (No Internet)
|--> My other devicess (Have Internet)
I have checked the cables and they are fine.
I am not sure if my ip address for the command below is correct
object network PC
host 192.168.20.1
=========================================
My Setting in the ASA is:
CiscoASA5505# show run
: Saved
:
ASA Version 9.1(2)
!
hostname CiscoASA5505
domain-name abc.com
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa912-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name abc.com
object network obj-192.168.20.0
subnet 192.168.20.0 255.255.255.0
object network PC
host 192.168.20.1
object-group network static-pat
access-list outside_in remark Allow RDP
access-list outside_in extended permit tcp any object PC eq 3389
access-list outside_in extended permit icmp any4 any4 echo-reply
access-list outside_in extended deny ip any4 any4 log
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-192.168.20.0
nat (inside,outside) dynamic interface
object network PC
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.20.5-192.168.20.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username sarparast password Hs/tIupNYaeztJyS encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e2b6b49bfe5ac8fe1c8c359e845f4350
: end
=========================
CiscoASA5505(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_in; 3 elements; name hash: 0xc5896c24
access-list outside_in line 1 remark Allow RDP
access-list outside_in line 2 remark Allow RDP
access-list outside_in line 3 extended permit tcp any object PC eq 3389 (hitcnt=0) 0xde73064f
access-list outside_in line 3 extended permit tcp any host 192.168.20.1 eq 3389 (hitcnt=0) 0xde73064f
access-list outside_in line 4 extended permit icmp any4 any4 echo-reply (hitcnt=0) 0x166f77cb
access-list outside_in line 5 extended deny ip any4 any4 log informational interval 300 (hitcnt=0) 0xb1248d92
12-02-2013 06:07 PM
Any idea?
12-02-2013 07:33 PM
I can see the problem from your config is your vlan1 ip the same with object network PC
interface Vlan1
nameif inside
security-level 100
ip 192.168.20.1 255.255.255.0
object network PC
host 192.168.20.1
Sent from Cisco Technical Support iPhone App
12-03-2013 05:44 AM
Hello,
Thank you so much for your reply.
Would you please advise me know what should the IP address be instead of ?
object network PC
host 192.168.20.?
Thank you in advance for your time
Amir
12-03-2013 05:47 AM
Hi,
The IP address should be the IP address of your actual PC behind the ASA. Not the ASA interface IP address.
The IP address defined under the object defines the IP address for which we want to do the NAT translation for.
I dont think your PCs actual local IP address was mentioned at any point so I dont know what that is.
- Jouni
12-03-2013 05:51 AM
Hello Jouni,
Thank you so much for your reply.
Now I know what the number should be.
Let me fix it tonight I will update you for the result as soon as I modified it.
Thank you for your time
Amir
12-03-2013 06:22 PM
Hello Jouni,
Please be informed I decided to erase my ASA and reconfigure it.
I did not know that NAT command after version 8.3 has been changed. so all of my instructions are worthless now
I found the link below to translate the NAT command:
https://supportforums.cisco.com/docs/DOC-9129
global (outside) 10 interface
nat (inside) 10 192.168.20.0 255.255.255.0
I thought the command below is equal to the above
object network obj-192.168.20.5_192.168.20.36
range 192.168.20.5 192.168.20.36
object network obj-192.168.20.0
subnet 192.168.20.0 255.255.255.0
nat (inside,outside) dynamic
obj-192.168.20.5_192.168.20.36 interface
Now inside does not have access to outside
At the moment I am lost.
Amir
=====================
CiscoASA5505(config)# show run
: Saved
:
ASA Version 9.1(2)
!
hostname CiscoASA5505
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
object network obj-19
object network obj-192.168.20.5_192.168.20.36
range 192.168.20.5 192.168.20.36
object network obj-192.168.20.0
subnet 192.168.20.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-192.168.20.0
nat (inside,outside) dynamic obj-192.168.20.5_192.168.20.36 interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.20.5-192.168.20.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username sarparast password VXBc.HbZN0mmwbmL encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ba24bb28656db6af40b0efd20166b2fa
: end
12-03-2013 07:43 PM
Hello Amir
This will help you at least have access to outside, and afterward you can configured your firewall by your need.
interface vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
interface vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface eth0/0
description "Connect to ISP"
switchport access vlan2
object network internal_lan.obj
subnet 192.168.20.0 255.255.255.0
nat (inside,outside) dynamic interface
Best regards,
12-04-2013 05:23 AM
Hello mynet4lab,
Thank you so much for your reply.
let me try it tonight, I will update the disccusion as soon as I apply the new command.
Again Thank you
Amir
12-07-2013 08:21 PM
My Friends,
Thank you so much for your helps.
Right now I find out what happend to my system.
Last week Verizon has changed my IP address and I did not pay attention to this matter.
So I wiped out amy ASA (how silly was I)
1- I had to reconfigure the ASA and then fix the issue to connect inside and outside see the link below:
https://supportforums.cisco.com/message/4111695#4111695
Good experience again
2- Then set the boot image to 912 (how? refer to the link above JouniForss' email dated Dec 5, 2013 12:49 AM)
3 - Then run the commands base on JouniFross' instruction (this link (go above to) dated Sep 15, 2013 9:26 AM)
Note: the commands run when the boot system is:912 (please correct me if I am wrong)
4- Then reset my new IP on my host.
5- Reset my new IP on my firewall.
Now everything is working
Thank you so much Jouni for your fantastic support. God Bless you.
Amir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide