Solved: So the problem was really on

paveldudaibm · ‎06-13-2016

Hello,

I'm trying to setup static NAT for inbound RDP traffic to several servers on the inside network but I have troubles to make it work.

My configuration is like:

interface Gi0/0

nameif Internet

security-level 10

ip address 192.168.1.2 255.255.255.128

interface Gi0/1

nameif someothernet

ip address 172.16.0.1 255.255.255.128

interface Gi0/2

nameif Serverdp

ip address 10.0.0.1 255.255.255.0

object network rdp-internal

host 10.0.0.10

nat (Serverdp,Internet) static 192.168.1.15 service tcp 3389 3389

access-list Inbound extended permit tcp any host 10.0.0.10 eq 3389

access-group Inbound in interface Internet

When I try to connect to 192.168.1.15:3389 I'm getting %ASA-6-110003 routing failed to locate next for for TCP from Internet:xxxxx to serverdp:10.0.0.10/3389

Am I missing some step in this configuration?

Thanks

Karsten Iwen · ‎06-14-2016

Did the other ASA run the exact same version? There were changes in NAT-behavior in the past.

I still would expect the problem in the section1 of your NAT config.

View solution in original post

Karsten Iwen · ‎06-13-2016

Two things to check in your config:

Is the routing to the internet correct?
Is there any NAT configured incorrectly in section 1 of the NAT-rules

paveldudaibm · ‎06-13-2016

Hello Karsten,

yes the routing to internet works fine. I have few other dynamic rules on the other interface(s) and they works fine. Anyway I was able to get hands on one spare ASA device and replicate the configuration and it works so it seems that the problem is on the remote device or with the network connected to the Gi0/2 (unless it is some kind of bug on that particular ASA dev). I'm working remotely and customer says everything is fine on their end and all servers on network behind the ASA are configured properly. I will ask them to test cables and connect some workstation to the port directly + do some packet tracing.

Karsten Iwen · ‎06-14-2016

Did the other ASA run the exact same version? There were changes in NAT-behavior in the past.

I still would expect the problem in the section1 of your NAT config.

paveldudaibm · ‎06-14-2016

Yes they are running same version so should not be affected by those changes which took place in 8.3+ if I recall correctly the version. I'm waiting for on-site support to check the cabling and network settings so let's see...

paveldudaibm · ‎07-07-2016

So the problem was really on the network behind the ASA not with the NAT rules :-).

David Castro F. · ‎06-13-2016

Hello,

Can you please share the show run of this ASA, and according to the log the ASA is indeed dropping it,

This error occurs when the ASA tries to find the next hop on an interface routing table. Typically, this message is received when ASA has a translation (xlate) built to one interface and a route pointing out a different interface. Check for a misconfiguration on the NAT statements. Resolution of the misconfiguration may resolve the error.

Also afterwards taking captures on both interfaces will give us a better overview,

Please proceed to rate and mark as correct the helpful post!

Thanks,

David Castro,

Static NAT configuration on ASA5520 (8.4+)