ASA 5510: DMZ NAT static not working

sven.ollino · ‎11-14-2009

Hi,

my ASA 5510 v8.2 doesn't like to NAT incoming connections from inet interface (outside) tcp/3389 (RDP) to a dmz server. I have tried everything I knew. It really doesn't look like an ACL problem because there is no NAT hit.

here is an exempt of the config:

interface Ethernet0/0
description Internet connection
nameif inet
security-level 0
ip address EXTERNAL 255.255.255.252
!
interface Ethernet0/1
nameif internal
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 30
ip address 192.168.60.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
management-only

access-list inet_access_in extended permit tcp any host EXTERNAL eq https
access-list inet_access_in extended deny icmp any any
access-list inet_access_in extended permit tcp any host 192.168.60.15 object-group rdp
access-list internal_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.60.0 255.255.255.0

nat-control
global (inet) 10 interface
global (dmz) 10 interface
nat (internal) 0 access-list internal_nat0_outbound
nat (internal) 10 access-list internal_nat0_outbound
nat (internal) 10 192.168.50.0 255.255.255.0
nat (dmz) 0 access-list internal_nat0_outbound
nat (dmz) 10 access-list internal_nat0_outbound
nat (dmz) 10 192.168.60.0 255.255.255.0
static (dmz,inet) tcp interface 3389 192.168.60.15 3389 netmask 255.255.255.255 dns
access-group inet_access_in in interface inet
route inet 0.0.0.0 0.0.0.0 EXTERNAL GW 1

some things are redundant and irrelevant and this was for troubleshooting.

nat show:

NAT policies on Interface internal:
match ip internal 192.168.50.0 255.255.255.0 inet 192.168.60.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 internal 192.168.60.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 dmz 192.168.60.0 255.255.255.0
    NAT exempt
    translate_hits = 16, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 management 192.168.60.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 inet 192.168.60.0 255.255.255.0
    dynamic translation to pool 10 (EXTERNAL [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 internal 192.168.60.0 255.255.255.0
    dynamic translation to pool 10 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 dmz 192.168.60.0 255.255.255.0
    dynamic translation to pool 10 (192.168.60.1 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 management 192.168.60.0 255.255.255.0
    dynamic translation to pool 10 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 inet any
    dynamic translation to pool 10 (EXTERNAL [Interface PAT])
    translate_hits = 672, untranslate_hits = 88
match ip internal 192.168.50.0 255.255.255.0 internal any
    dynamic translation to pool 10 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 dmz any
    dynamic translation to pool 10 (192.168.60.1 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 management any
    dynamic translation to pool 10 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip internal any inet any
    no translation group, implicit deny
    policy_hits = 0
match ip internal any dmz any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface dmz:
match ip dmz 192.168.50.0 255.255.255.0 inet 192.168.60.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
match ip dmz 192.168.50.0 255.255.255.0 dmz 192.168.60.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
match tcp dmz host 192.168.60.15 eq 3389 inet any
    static translation to EXTERNAL/3389
    translate_hits = 0, untranslate_hits = 0
match ip dmz 192.168.50.0 255.255.255.0 inet 192.168.60.0 255.255.255.0
    dynamic translation to pool 10 (EXTERNAL [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
match ip dmz 192.168.50.0 255.255.255.0 dmz 192.168.60.0 255.255.255.0
    dynamic translation to pool 10 (192.168.60.1 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
match ip dmz 192.168.60.0 255.255.255.0 inet any
    dynamic translation to pool 10 (EXTERNAL [Interface PAT])
    translate_hits = 557, untranslate_hits = 530
match ip dmz 192.168.60.0 255.255.255.0 dmz any
    dynamic translation to pool 10 (192.168.60.1 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
match ip dmz any inet any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface management:
match ip management any inet any
    no translation group, implicit deny
    policy_hits = 0
match ip management any dmz any
    no translation group, implicit deny
    policy_hits = 0

Has someone got an idea why I can't have remote desktop connections from internet to dmz host 192.168.60.15?

Thanks for your time!

Sven