10-10-2013 09:25 AM - edited 03-11-2019 07:50 PM
Here are the relevant parts of my config:
interface Vlan1
nameif inside
security-level 100
ip address 172.18.67.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 71.x.x.x 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list NAT extended permit ip 172.18.67.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list NAT extended permit ip 172.18.67.0 255.255.255.0 10.41.0.0 255.255.0.0
access-list Port_Forwarding-ACL extended permit tcp any host 172.18.67.2 eq 3389
!
global (outside) 1 interface
nat (inside) 0 access-list NAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 172.18.67.2 3389 netmask 255.255.255.255
access-group Port_Forwarding-ACL in interface outside
route outside 0.0.0.0 0.0.0.0 71.169.11.1 1
Here is a packet tracer output:
eas-ny-pinn# packet-tracer input outside tcp 1.1.1.1 3389 172.18.67.2 3389
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.18.67.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Port_Forwarding-ACL in interface outside
access-list Port_Forwarding-ACL extended permit tcp any host 172.18.67.2 eq 3389
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (inside,outside) tcp interface 3389 172.18.67.2 3389 netmask 255.255.255.255
match tcp inside host 172.18.67.2 eq 3389 outside any
static translation to 71.169.11.10/3389
translate_hits = 0, untranslate_hits = 6
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Why is this failing?
Solved! Go to Solution.
10-10-2013 12:24 PM
Hi,
Try adding
access-list Port_Forwarding-ACL extended permit tcp any interface outside eq 3389
Then test the actual connection again and "packet-tracer" if you want.
- Jouni
10-10-2013 09:30 AM
Hi,
Its failing because you are targetting the local IP address of the destination host in the "packet-tracer" command.
If someone on the external network were to connect to this host then the destination IP address would be that of your "outside" interface.
Use the "outside" interface IP address as the destination IP in the "packet-tracer" command and post that output if there is still a problem with it
- Jouni
10-10-2013 12:21 PM
This is what I get now.
eas-ny-pinn# packet-tracer input outside tcp 1.1.1.1 3389 71.169.11.10 3389
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface 3389 172.18.67.2 3389 netmask 255.255.255.255
match tcp inside host 172.18.67.2 eq 3389 outside any
static translation to 71.169.11.10/3389
translate_hits = 0, untranslate_hits = 18
Additional Information:
NAT divert to egress interface inside
Untranslate 71.169.11.10/3389 to 172.18.67.2/3389 using netmask 255.255.255.255
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
10-10-2013 12:24 PM
Hi,
Try adding
access-list Port_Forwarding-ACL extended permit tcp any interface outside eq 3389
Then test the actual connection again and "packet-tracer" if you want.
- Jouni
10-10-2013 12:54 PM
That fixed it. I'm always screwing up ACLs on interfaces when it comes to NAT. No one outside the network is trying to reach the private IP, that's what the NAT does.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: