03-03-2014 12:13 PM - edited 03-11-2019 08:52 PM
Hello and thank you for reading & helping out!
I have a customer that we are trying to remotely monitor and manage their servers. We have a management server and I can setup the ACL's to have any/any port:3389 open and accessible, but we are trying to strengthen the inbound simply by having a port redirection. Below is my code, which seems to be right according to all the other sites i have looked over trying to find out how to redirect ports on an ASA, as well NAT in general with cisco's CLI. I dont have ASDM capable, using SSH (putty) and remoting into the firewall. when i try to switch the ports access to 3390 with a port redirection (as shown below) I am not able to connect (nor will Portquery.exe show it as listening, rather it comes back "filtered").
I think that I am doing the NAT in the wrong location, but if I try to do a global NAT with the other statements outside fo the network object, I cant seem to get the ports to go through ( ' nat (inside,outside) source static any any service tcp 3390 3389 ' ) it says the port 3389 is 'invalid input'. I for one am lost lol, please help!
***ALL other code attempts work fine with 3389 in the acl/object-nat segments****
object network GLF-VCENTER
host 172.30.25.254
nat (inside,outside) static interface service tcp 3390 3389
access-list outside_access_in extended permit tcp any any eq 3390
03-03-2014 03:11 PM
Hello Dan,
Is port 3390 the real port of your server or the one you are using the connect?
Have you tried swapping the ports on the nat configuration? The first one is that real port and the second one should be the mapped port you type in order to connect.
object network GLF-VCENTER
host 172.30.25.254
nat (inside,outside) static interface service tcp 3389 3390
I hope it helps
regards,
Itzcoatl
03-04-2014 05:51 AM
@ Itzcoatl,
Yes i've done both commands (below) neither work and i understand the order of mapped/real ports, i know i had it backwards in my original statement (sorry)
HAVE TRIED BOTH:
nat (inside,outside) static interface service tcp 3389 3390
nat (inside,outside) static interface service tcp 3390 3389
~Dan
03-04-2014 07:32 AM
Hello Dan,
Have you also tried the ACL for port 3389
Please share the exact configuration you have (using the right port-mapping)
and also this
packet-tracer input outside tcp 4.2.2.2 1025 interface_ip 3389
Then enable this capture
cap capout interface outside match tcp any host x.x.x.x (Interface_IP) eq 3389
cap capin interface inside match tcp any host x.x.x (Internal server IP) eq 3389
Afterwards try to connect Just Once and finally provide
show cap capout
show cap capin
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide