I still did.

But when asked to external ip address in the logs an error

Teardown TCP connection 6306058 for disbacak:83.220.236.74/29128 to icbacak:10.2.150.5/3389 duration 0:00:30 bytes 0 SYN Timeout

What had I done?

Hi,

Seems to me that there is some translation already for IP address 10.2.150.5 local IP address and the connection that is taken through the firewall is allowed.

The actual target machine doesnt respond to the connection attempt.

This doesnt seem to be a problem with the firewall. It seems to be a problem with the PC you are trying to connect to.

- Jouni

If connected to the LAN by 10.2.150.5 RDP, the connection is established.

When you connect the external IP an error.

Hi,

Its impossible for me to tell you the reason with this information.

I would suggest checking that the actual host is not blocking the connection from the Internet.

It could be some Windows related setting or software firewall or perhaps there is problem with the default gateway configuration of the host (though I would doubt it since it couldnt access Internet through the ASA if this was the case)

- Jouni

The problem is solved.

The fact was that, as is the gateway ip address of the proxy server.

If you register ip address tsistso then everything works.

Thanks for the advice and help.

I following your suggestion to the T and I cannot get my IIS server to come up.  i have disabled FW, NO AV, no matter what I try I cannot get to the server.  I can post the config if you have the time to tell me wtf I am doing wrong.

Thanks

Hi,

I went as far as changing my own ASA software from 8.4(5) to 9.1(1) and ASDM 7.1(1)52. I use the other software as there are some bugs related to NAT on the 9.1(1) software

I dont personally ever use ASDM for NAT and ACL configurations but here is how I would configure Port Forward / Static PAT through the ASDM

Go to Configuration -> Firewall -> NAT Rules -> Right Mouse Click to open the menu -> Choose Add "Network Object" NAT Rule

It will open the following window which you can configure in the following way

Where

• PORT-FORWARD = Is the name of the Object that will contain the Real IP address of the host and the actual NAT configuration
• 10.0.0.100 = Is a example Real IP address
• WAN = Is the "nameif" of my "outside" interface

Next click Advanced on the window, it will open the following window, where you can fill the port and interface information

Where

• LAN = Is my "inside" interface
• WAN = Is my "outside" interface
• tcp = Is the protocol used (can be udp if you want/need)
• 1111 = Is the actual port on the LAN host
• 2222 = is the mapped port that is visible to the WAN

Finally Click Ok on all windows and then Apply

The ASDM will insert the configurations in CLI format to the ASA

      object network PORT-FORWARD

        host 10.0.0.100

        nat (LAN,WAN) static interface service tcp 1111 2222

As you can see pretty simple configurations on the CLI instead of jumping between different windows and options on the ASDM.

Naturally you will need an ACL allowing this traffic also from the "outside" or "WAN" interface, whatever you are using.

You will need to open the traffic by using the REAL IP and REAL PORT

So for example the ACL rule allowing this traffic from Internet could look like this

access-list WAN-IN extended permit tcp host 1.1.1.1 object PORT-FORWARD eq 1111

Please rate if the information has been helpfull

- Jouni

Long dead thread, but this saved my assignment tonight.

thanks!