06-26-2013 01:32 AM - edited 03-11-2019 07:03 PM
The physical setup is a little odd as the ASA is connected to the LAN interface of a SOHO wireless router/firewall, and I'm wondering if that is the issue with the port forwarding failures. There's a remote-pc that requires vnc access to connected to the asa.
The SOHO router is the asa's gateway @ 192.168.2.1 and is configured to port forward tcp:5900 (vnc) to the ASA's outside address (192.168.2.254).
I have also tried setting 192.168.2.254 as a dmz on the soho router, but to no avail.
Here's the ASA's relavent config lines:
interface Vlan10
nameif outside
security-level 0
ip address 192.168.2.254 255.255.255.0
!
interface Vlan20
nameif inside
security-level 100
ip address 10.2.2.1 255.255.255.0
!
object network Remote-PC
host 10.2.2.27
object service vnc
service tcp source eq 5900 destination eq 5900
description vnc server/viewer
object service rdp
!
object service rdp
service tcp source eq 3389 destination eq 3389
description Remote Desktop (if vnc crashes)
object-group network inside-net
description VLAN 20 Inside IP Range
network-object 10.2.2.0 255.255.255.0
!
access-list outside_access_in extended permit object vnc any object Remote-PC
access-list outside_access_in extended permit object rdp any object Remote-PC
!
nat (inside,outside) source dynamic inside-net interface
!
object network Remote-PC
nat (inside,outside) static interface service tcp 5900 5900
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
-----------------------------------------------------
Thanks in advance for any help!
Solved! Go to Solution.
06-26-2013 02:15 AM
Hi,
Theres a problem with NAT rule ordering and ACL
Do the following changes
NAT
no nat (inside,outside) source dynamic inside-net interface
nat (inside,outside) after-auto source dynamic inside-net interface
In the above we move the NAT rule from Section 1 to Section 3 effectively changing it to be a lower priority NAT configuration rule. In its current form its overriding the Static PAT and preventing it from working.
ACL
Problem with the ACL is that you define the service port for RDP and VNC as both the source and destination. The remote connections wont be coming from the same source port as the destination port is. So basically you dont define any source port, only the destination port.
Old
no access-group outside_access_in
no access-list outside_access_in extended permit any object Remote-PC
no access-list outside_access_in extended permit object rdp any object Remote-PC
no object service vnc
no object service rdp
New
object service RDP
service tcp destination eq 3389
object service VNC
service tcp destination eq 5900
access-list outside_access_in extended permit object RDP any object Remote-PC
access-list outside_access_in extended permit object VNC any object Remote-PC
access-group outside_access_in in interface outside
Hope this helps
Please do remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
07-01-2013 08:47 AM
Hi,
Provided this NAT configuration still exists (with the "host" statement inside the "object network")
object network Remote-PC
host x.x.x.x
nat (inside,outside) static interface service tcp 5900 5900
Then you again have a Dynamic PAT rule that is overriding the Static PAT (Port Forward)
Unless you have gotten more inside networks that need Dynamic PAT then simply remove this configuration
no nat (inside,outside) source dynamic any interface
- Jouni
07-01-2013 09:12 AM
Hi,
Sadly there is no easy way that wouldnt generate more configuration. For each port you want to forward to a host you will have to configure a separate NAT configuration
So you would have to add something like this
object network Remote-PC-RDP
host x.x.x.x
nat (inside,outside) static interface service tcp 3389 3389
I guess it would be good to come up with some good naming convention if you are configuring multiple ports.
If you want to rename an existing "object network" then you can do for example
object network
This will change the name of an existing "object network"
As I saidf, there is no clean and easy way to configure multiple ports as you CANT use "object-group service" in any NAT configurations.
- Jouni
06-26-2013 02:15 AM
Hi,
Theres a problem with NAT rule ordering and ACL
Do the following changes
NAT
no nat (inside,outside) source dynamic inside-net interface
nat (inside,outside) after-auto source dynamic inside-net interface
In the above we move the NAT rule from Section 1 to Section 3 effectively changing it to be a lower priority NAT configuration rule. In its current form its overriding the Static PAT and preventing it from working.
ACL
Problem with the ACL is that you define the service port for RDP and VNC as both the source and destination. The remote connections wont be coming from the same source port as the destination port is. So basically you dont define any source port, only the destination port.
Old
no access-group outside_access_in
no access-list outside_access_in extended permit any object Remote-PC
no access-list outside_access_in extended permit object rdp any object Remote-PC
no object service vnc
no object service rdp
New
object service RDP
service tcp destination eq 3389
object service VNC
service tcp destination eq 5900
access-list outside_access_in extended permit object RDP any object Remote-PC
access-list outside_access_in extended permit object VNC any object Remote-PC
access-group outside_access_in in interface outside
Hope this helps
Please do remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
06-26-2013 03:35 AM
Brilliant! That worked perfectly.
I really appreciate the detailed explanation of the changes. It makes total sense now.
5 star reply!
Thank you Jouni.
07-01-2013 08:42 AM
Well, this is awkward. I seemed to have broken it. I reapplied the config based on your fix (which worked before) and it's not allowing the connection now. I'm assuming it has something to do with the NATing since I've set up an L2L. The 2nd line is for an L2L VPN, which may be the problem.
Config:
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static inside-net inside-net destination static Brazos-Net-All Brazos-Net-All
!
nat (inside,outside) after-auto source dynamic inside-net interface
!
object network inside-net
subnet 10.2.2.0 255.255.255.0
object service RDP
service tcp destination eq 3389
object service VNC
service tcp destination eq 5900
object service WEB-VNC
service tcp destination eq 5800
!
access-list outside_access_in extended permit object RDP any object Remote-PC
access-list outside_access_in extended permit object VNC any object Remote-PC log debugging
access-list outside_access_in extended permit object WEB-VNC any object Remote-PC
!
access-group outside_access_in in interface outside
----
Thanks in advance for any help!
07-01-2013 08:47 AM
Hi,
Provided this NAT configuration still exists (with the "host" statement inside the "object network")
object network Remote-PC
host x.x.x.x
nat (inside,outside) static interface service tcp 5900 5900
Then you again have a Dynamic PAT rule that is overriding the Static PAT (Port Forward)
Unless you have gotten more inside networks that need Dynamic PAT then simply remove this configuration
no nat (inside,outside) source dynamic any interface
- Jouni
07-01-2013 09:02 AM
Yep, you nailed it again!
What is the best way to add dynamic PAT for multiple ports to that host?
(ex: tcp/5900, 5800, 3389).
07-01-2013 09:12 AM
Hi,
Sadly there is no easy way that wouldnt generate more configuration. For each port you want to forward to a host you will have to configure a separate NAT configuration
So you would have to add something like this
object network Remote-PC-RDP
host x.x.x.x
nat (inside,outside) static interface service tcp 3389 3389
I guess it would be good to come up with some good naming convention if you are configuring multiple ports.
If you want to rename an existing "object network" then you can do for example
object network
This will change the name of an existing "object network"
As I saidf, there is no clean and easy way to configure multiple ports as you CANT use "object-group service" in any NAT configurations.
- Jouni
07-01-2013 09:21 AM
I was hoping for the object group service answer. Lol.
The new Network Objects are created for each static PAT and all is working beautifully now.
Thank you again, Jouni!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide