Hi,
my ASA 5510 v8.2 doesn't like to NAT incoming connections from inet interface (outside) tcp/3389 (RDP) to a dmz server. I have tried everything I knew. It really doesn't look like an ACL problem because there is no NAT hit.
here is an exempt of the config:
interface Ethernet0/0
description Internet connection
nameif inet
security-level 0
ip address EXTERNAL 255.255.255.252
!
interface Ethernet0/1
nameif internal
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 30
ip address 192.168.60.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
management-only
access-list inet_access_in extended permit tcp any host EXTERNAL eq https
access-list inet_access_in extended deny icmp any any
access-list inet_access_in extended permit tcp any host 192.168.60.15 object-group rdp
access-list internal_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.60.0 255.255.255.0
nat-control
global (inet) 10 interface
global (dmz) 10 interface
nat (internal) 0 access-list internal_nat0_outbound
nat (internal) 10 access-list internal_nat0_outbound
nat (internal) 10 192.168.50.0 255.255.255.0
nat (dmz) 0 access-list internal_nat0_outbound
nat (dmz) 10 access-list internal_nat0_outbound
nat (dmz) 10 192.168.60.0 255.255.255.0
static (dmz,inet) tcp interface 3389 192.168.60.15 3389 netmask 255.255.255.255 dns
access-group inet_access_in in interface inet
route inet 0.0.0.0 0.0.0.0 EXTERNAL GW 1
some things are redundant and irrelevant and this was for troubleshooting.
nat show:
NAT policies on Interface internal:
match ip internal 192.168.50.0 255.255.255.0 inet 192.168.60.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 internal 192.168.60.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 dmz 192.168.60.0 255.255.255.0
NAT exempt
translate_hits = 16, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 management 192.168.60.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 inet 192.168.60.0 255.255.255.0
dynamic translation to pool 10 (EXTERNAL [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 internal 192.168.60.0 255.255.255.0
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 dmz 192.168.60.0 255.255.255.0
dynamic translation to pool 10 (192.168.60.1 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 management 192.168.60.0 255.255.255.0
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 inet any
dynamic translation to pool 10 (EXTERNAL [Interface PAT])
translate_hits = 672, untranslate_hits = 88
match ip internal 192.168.50.0 255.255.255.0 internal any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 dmz any
dynamic translation to pool 10 (192.168.60.1 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip internal 192.168.50.0 255.255.255.0 management any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip internal any inet any
no translation group, implicit deny
policy_hits = 0
match ip internal any dmz any
no translation group, implicit deny
policy_hits = 0
NAT policies on Interface dmz:
match ip dmz 192.168.50.0 255.255.255.0 inet 192.168.60.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip dmz 192.168.50.0 255.255.255.0 dmz 192.168.60.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match tcp dmz host 192.168.60.15 eq 3389 inet any
static translation to EXTERNAL/3389
translate_hits = 0, untranslate_hits = 0
match ip dmz 192.168.50.0 255.255.255.0 inet 192.168.60.0 255.255.255.0
dynamic translation to pool 10 (EXTERNAL [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip dmz 192.168.50.0 255.255.255.0 dmz 192.168.60.0 255.255.255.0
dynamic translation to pool 10 (192.168.60.1 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip dmz 192.168.60.0 255.255.255.0 inet any
dynamic translation to pool 10 (EXTERNAL [Interface PAT])
translate_hits = 557, untranslate_hits = 530
match ip dmz 192.168.60.0 255.255.255.0 dmz any
dynamic translation to pool 10 (192.168.60.1 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip dmz any inet any
no translation group, implicit deny
policy_hits = 0
NAT policies on Interface management:
match ip management any inet any
no translation group, implicit deny
policy_hits = 0
match ip management any dmz any
no translation group, implicit deny
policy_hits = 0
Has someone got an idea why I can't have remote desktop connections from internet to dmz host 192.168.60.15?
Thanks for your time!
Sven