Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
998
Views
0
Helpful
18
Replies

Problems with the new NAT in ASA 5510 (8.4)

Go to solution
keksdieb01
Level 1
Level 1

‎06-03-2013 08:15 AM - edited ‎03-11-2019 06:52 PM

Hi together,

i have some problems with the NAT statements in ASA Version 8.4.

What i want is to translate the internal address of a server to the external address with a NAT rule.

The ASA has only one WAN connection (named outside)

The internal server has the ip address 192.168.0.221 (as example) and i want to translate all incoming traffic on port 3389 to the Server (192.168.0.221).

This is only for training, i dont want to forward a 3389 port into the BAD in a productive Network

first i create the network object for the inside server (192.168.0.221)

object network Network_Obj_RDP

host 192.168.0.221

After that i create the access rule for incoming traffic on outside interface:

access-list outside_access_in extended permit ip any any log debugging

Next i create a access rule for the inside-prod network to allow the traffic to the RDP Server:

access-list inside-prod_access_in extended permit object RDP interface outside object Network_Obj_RDP

Now i create the NAT rule in the network object (Network_Obj_RDP):  

object network Network_Obj_RDP

nat (inside-prod,outside) static interface service tcp 3389 3389

But if i want to connect via 3389 on the outside interface i see in the syslog this entry:









Built inbound TCP connection 23248 for outside:80.187.107.132/7445 (80.187.107.132/7445) to inside-prod:192.168.0.221/3389 (External IP/3389)

After a while the connection will be teardown with this message:









Teardown TCP connection 23289 for outside:80.187.107.132/2294 to inside-prod:192.168.0.221/3389 duration 0:00:30 bytes 0 SYN Timeout

It looks like that the acl works fine, but the NAT translation are wrong...

perhaps somebody has a idea to fix this

Looking forward and hope for help...

Many thanks

Greetings

Labels:
0 Helpful
18 Replies 18

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to keksdieb01

‎06-03-2013 10:11 AM

If you do want to try another type of NAT to accomplish the same as you are trying now (if for some reason a software bug is causing the problem) then you could try this configuration

object network SERVER

host 192.168.0.220

object service RDP

service tcp source eq 3389

nat (inside-prod,outside) 1 source static SERVER interface service RDP RDP

EDIT: Note that the NAT configuration line IS NOT configured under any "object". It is configured in the global configuration mode. Though you probably can still issue the command even if you are under some "object" configuration mode.

See if that works or has any difference

- Jouni

0 Helpful

Go to solution
keksdieb01
Level 1
Level 1
In response to Jouni Forss

‎06-03-2013 10:29 AM

Waaaaaahhhhhh....

today in the morning  i spoke to the administrator from this server and asked about Firewall settings all this things...

First i got the wrong IP Address (192.168.0.221) and now he turned off the firewall and what happend?

it works...

boah i have to kicked him very hard!!!

Thanks for your help.

i wish you a nice evening

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to keksdieb01

‎06-03-2013 10:41 AM

Hi,

Good to hear it works now.

Can you please mark a reply as the correct answer and/or rate helpfull answers

- Jouni

0 Helpful

Go to solution
keksdieb01
Level 1
Level 1
In response to Jouni Forss

‎06-03-2013 10:44 AM

Thanks so much for your help, i think each answer was right

Thanks a lot and wish a nice day....

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card