Solved: Actually, I did what Jon

Dennis Topo Jr · ‎07-14-2015

Hello all.....I'm having a hard time here trying to do a simple RDP port forward to one of my inside boxes.....I've done this before on other ASA's but just can't seem to get this to work!

Below is pertinent config : I just want to be able hit my outside ASA ip and rdp to my windows box. I left the source address at any for now but would obviously restrict that when it's working.

This is new config - and very clean- nothing special going on. The weird thing is my UDP ports for my phone systems are forwarding fine- registering phones\trunks etc.... I double checked my objects...and all is in order.

I also don;t receive anything in the ASDM log when trying to connect from the outside- almost like it's being blocked along the way...but I had this working on my simple Linksys router last week before I replaced it with the ASA...so it's doubtful that's the case

Any help is appreciated!

ASA-1# show ver

Cisco Adaptive Security Appliance Software Version 9.2(3)
Device Manager Version 7.3(2)

ASA-1# show run access-list
access-list OUTSIDE_ACCESS_IN extended permit object RTP_AUDIO any object FREE_PBX
access-list OUTSIDE_ACCESS_IN remark SIP registration ports.
access-list OUTSIDE_ACCESS_IN extended permit object-group FREE_PBX_PORTS any object FREE_PBX
access-list OUTSIDE_ACCESS_IN remark You want only echo-reply here, so only pings initiated from the inside can reply back
access-list OUTSIDE_ACCESS_IN extended permit object-group DM_INLINE_SERVICE_1 any any
access-list OUTSIDE_ACCESS_IN extended permit object RDP any object WIN8-1 log debugging

ASA-1# show run nat
nat (inside,outside) source static DTECH_INSIDE_NET DTECH_INSIDE_NET destination static VPNClientNet VPNClientNet no-proxy-arp route-lookup description NAT Exemption for VPN Clients
nat (inside,outside) source static FREE_PBX interface service SIP_REG_TCP SIP_REG_TCP description FREE_PBX NAT SIP Reg TCP
nat (inside,outside) source static FREE_PBX interface service SIP_REG_RANGE_UDP SIP_REG_RANGE_UDP description FREE_PBX NAT SIP Reg UDP Range
nat (inside,outside) source static FREE_PBX interface service RTP_AUDIO RTP_AUDIO description FREE_PBX NAT RTP Audio
nat (inside,outside) source dynamic DTECH_INSIDE_NET interface description PAT to Internet for DTECH Hosts
!
object network WIN8-1
nat (inside,outside) static interface service tcp 3389 3389

ASA-1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static DTECH_INSIDE_NET DTECH_INSIDE_NET destination static VPNClientNet VPNClientNet no-proxy-arp route-lookup description NAT Exemption for VPN Clients
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static FREE_PBX interface service SIP_REG_TCP SIP_REG_TCP description FREE_PBX NAT SIP Reg TCP
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static FREE_PBX interface service SIP_REG_RANGE_UDP SIP_REG_RANGE_UDP description FREE_PBX NAT SIP Reg UDP Range
translate_hits = 142, untranslate_hits = 236
4 (inside) to (outside) source static FREE_PBX interface service RTP_AUDIO RTP_AUDIO description FREE_PBX NAT RTP Audio
translate_hits = 33, untranslate_hits = 74
5 (inside) to (outside) source dynamic DTECH_INSIDE_NET interface description PAT to Internet for DTECH Hosts
translate_hits = 7215, untranslate_hits = 47

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static WIN8-1 interface service tcp 3389 3389
translate_hits = 0, untranslate_hits = 0

Jon Marshall · ‎07-14-2015

Your dynamic PAT for your inside hosts is being matched because it is in section 1 and so it never gets to your static PAT in section 2.

Your phone system works because it is above your dynamic PAT in section 1.

There are any number of ways to fix this ie. -

1) move your static PAT to section 1 and use a line number to place it above the dynamic PAT (your can order in the NAT rules in sections 1 and 3)

2) move your dynamic PAT to section 2 where the static PAT should take precedence

3) move your dynamic PAT to section 3 using the "after-auto" keyword.

See this doc for full details on 8.3 NAT -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

note the recommendation in that document is to put your general dynamic PAT for internal hosts in section 3.

Jon

View solution in original post

Jon Marshall · ‎07-14-2015

Your dynamic PAT for your inside hosts is being matched because it is in section 1 and so it never gets to your static PAT in section 2.

Your phone system works because it is above your dynamic PAT in section 1.

There are any number of ways to fix this ie. -

1) move your static PAT to section 1 and use a line number to place it above the dynamic PAT (your can order in the NAT rules in sections 1 and 3)

2) move your dynamic PAT to section 2 where the static PAT should take precedence

3) move your dynamic PAT to section 3 using the "after-auto" keyword.

See this doc for full details on 8.3 NAT -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

note the recommendation in that document is to put your general dynamic PAT for internal hosts in section 3.

Jon

Dennis Topo Jr · ‎07-14-2015

I actually did have it ordered that way at one point...but I will do that again. It's what I originally was thinking.....thanks much. I'll try tomorrow and re-post..

I just did a packet trace and it more or less supports what you said:

ASA-1# packet-tracer input outside tcp 192.0.2.22 3389 192.168.0.2 3389

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_ACCESS_IN in interface outside
access-list OUTSIDE_ACCESS_IN extended permit object RDP any object WIN8-1 log debugging
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic DTECH_INSIDE_NET interface description PAT to Internet for DTECH Hosts
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

prateek.verma · ‎07-15-2015

Hi Dennis,

Try the following commands:

object service RDP
service tcp destination eq 3389
exit

nat (inside,outside) 1 source static WIN8-1 interface service RDP RDP

object network WIN8-1
no nat (inside,outside) static interface service tcp 3389 3389

Check whether it works or not, if it doesn't work please send the output of packet tracer again.

Regards,

Prateek Verma

Dennis Topo Jr · ‎07-15-2015

Actually, I did what Jon suggested and moved my Dynamic PAT rule to section 3-Left the object NAT in place.....works now. Great article by the way- like a NAT bible! Have a much better understanding now....

I also realized when I issued a packet tracer command with NAT-- you need to go from inside to outside--- or else it would result in a drop. Makes sense as it's the inside address you are translating from. So my above trace is invalid.

Thanks everybody

Simple RDP port forward will not work- ASA 5505