Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
843
Views
0
Helpful
4
Replies

Port forwarding problem

henry9876
Level 1
Level 1

‎07-11-2012 11:06 PM - edited ‎03-11-2019 04:30 PM

Hello all, looking for some assistance.

I am simply trying to grant RDP access from the outside Internet to an internal host -- 10.0.11.254 -- on the inside-2 network. The config below is edited, but I think I have all the relevant pieces in there.

Thanks for taking a look!

-----------------

: Saved

: Written by enable_15 at 20:17:55.312 UTC Wed Jul 11 2012

!

ASA Version 8.2(1)

!

name 170.1.1.1 WAN-IP

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.3.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address WAN-IP 255.255.255.248

!

interface Vlan3

nameif inside-2

security-level 100

ip address 10.0.11.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

switchport protected

speed 100

duplex full

!

interface Ethernet0/1

switchport protected

speed 100

duplex full

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 3

speed 100

duplex full

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service rdp tcp

description for port 3389

port-object eq 3389

access-list outside_rdp_in extended permit tcp any interface outside eq 3389

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside-2) 1 0.0.0.0 0.0.0.0

static (inside-2,outside) tcp interface 3389 10.0.11.254 3389 netmask 255.255.255.255

static (inside,inside-2) 10.0.3.0 10.0.3.0 netmask 255.255.255.0

static (inside-2,inside) 10.0.11.0 10.0.11.0 netmask 255.255.255.0

access-group outside_rdp_in in interface outside

route outside 0.0.0.0 0.0.0.0 170.1.1.2 1

dynamic-access-policy-record DfltAccessPolicy

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

!

prompt hostname context

: end


Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎07-11-2012 11:31 PM

Your NAT and ACL is in place. That looks good. Pleas post the output of the following command:

packet-tracer input outside tcp 1.2.3.4 1234 170.1.1.1 3389

0 Helpful

henry9876
Level 1
Level 1
In response to Karsten Iwen

‎07-12-2012 12:38 AM

Thank you, Karsten.

NOTE: The address 170.1.1.1 is not actual address. For the packet-trace, I replaced with actual outside address and the output follows.

ciscoasa# packet-tracer input outside tcp 1.2.3.4 1234 17x.x.x.x 3389

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside-2,outside) tcp interface 3389 10.0.11.254 3389 netmask 255.255.255.255

  match tcp inside-2 host 10.0.11.254 eq 3389 outside any

    static translation to WAN-IP/3389

    translate_hits = 0, untranslate_hits = 1

Additional Information:

NAT divert to egress interface inside-2

Untranslate WAN-IP/3389 to 10.0.11.254/3389 using netmask 255.255.255.255

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_rdp_in in interface outside

access-list outside_rdp_in extended permit tcp any interface outside eq 3389

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside-2,outside) tcp interface 3389 10.0.11.254 3389 netmask 255.255.255.255

  match tcp inside-2 host 10.0.11.254 eq 3389 outside any

    static translation to WAN-IP/3389

    translate_hits = 0, untranslate_hits = 1

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside-2,inside) inside-2-network inside-2-network netmask 255.255.255.0

  match ip inside-2 inside-2-network 255.255.255.0 inside any

    static translation to inside-2-network

    translate_hits = 101, untranslate_hits = 249

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1556762, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside-2

output-status: up

output-line-status: up

Action: allow

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to henry9876

‎07-12-2012 01:38 AM

Hi,

Do you have somekind of LAN to LAN VPN configurations on the ASA or why is the packet-tracer giving a Phase for VPN also?

- Jouni

0 Helpful

henry9876
Level 1
Level 1
In response to Jouni Forss

‎07-12-2012 09:29 AM

Yes, there are several LAN-to-LAN VPN tunnels. I cut those out of the posted config because I thought it wasn't relevant and it has a lot of public IPs + other revealing info.

I can edit and post it if you feel that it would be helpful.

I have some suspicion that the RDP request from outside is not even getting to the ASA. There is a "gateway" from our cable internet provider in front of the ASA, which might be doing some filtering. I will check that.

0 Helpful
Review Cisco Networking for a $25 gift card
Top