ASA 5510 NAT and ACL Issues again

I really don't know what I messed up, but as soon as I get this fixed I will backup my config again.

I am trying to setup a STATIC NAT from a public IP to the internal of 1 particular server and then allow 3389 (RDP) traffic from any outside source to this internal server.

I have the following:

access-list Outside_access_in extended permit tcp any host 10.100.101.1 eq 3389
AND
static (Inside,Outside) tcp 70.150.***.*** 3389 10.100.101.1 3389 netmask 255.255.255.255

So far, this is the only Static NAT I am trying to configure. This Public IP will be used just for this server, so I am not sharing a single Outside IP with the internal servers.

I have read about the need to BIND the Outside_access_in to an access-group to the Outside interface, but the commands will not work. Am I just missing this entry so it knows which interface to apply the ACLs to?

I see the following in the Syslog when I try to connect to RDP from Outside:

Inbound TCP Connection denied from X.X.X.X/1806 to 70.150.X.X/3389 flags SYN on interace Outside

Thanks!
miconisAsked:
Who is Participating?
 
ngravattCommented:
since you are using the ASA, you should be able to use the packet trace feature from the GUI interface that will tell you exactly why the packet is being dropped.
0
 
miconisAuthor Commented:

ASA Version 8.0(3)
!
hostname WZ-ASA1
domain-name XX.XXX
enable password IrroukDoy2z16aXo encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 70.150.XX.XXX 255.255.255.224
!
interface Ethernet0/1
 nameif Inside
 security-level 99
 ip address 10.100.100.1 255.255.240.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd IrroukDoy2z16aXo encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name XX.XXX
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit icmp 10.100.200.0 255.255.255.0 10
.100.96.0 255.255.240.0
access-list Outside_access_in extended permit tcp any host 10.100.101.1 eq 3389
access-list management_nat0_outbound extended permit ip 10.100.96.0 255.255.240.
0 10.100.200.0 255.255.255.0
access-list Outside_1_cryptomap extended permit ip 10.100.96.0 255.255.240.0 10.
100.200.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.100.96.0 255.255.240.0 10
.100.200.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location 10.100.200.0 255.255.255.0 management
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound
static (Inside,Outside) tcp 70.150.XX.XXX 3389 10.100.101.1 3389 netmask 255.255
.255.255
route Outside 0.0.0.0 0.0.0.0 70.150.XX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.100.200.0 255.255.255.0 Outside
http 192.168.1.0 255.255.255.0 management
http 10.100.96.0 255.255.240.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 70.150.XX.XXX
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 86400
telnet 10.100.96.0 255.255.240.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
tunnel-group 70.150.XX.XXX type ipsec-l2l
tunnel-group 70.150.XX.XXX ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9b3c69aaf6bdfd017cf703d49600056b
WZ-ASA1(config)#
0
 
ngravattCommented:
the access rule needs to allow access to the public address. 70.150.x.x.  Try adding this rule:

access-list Outside_access_in extended permit tcp any host 70.150.XX.XXX eq 3389
0
 
miconisAuthor Commented:
Hmmm. that didnt work.

Still seeing the following in the Syslog when I try to connect to RDP from Outside:

Inbound TCP Connection denied from X.X.X.X/1806 to 70.150.X.X/3389 flags SYN on interace Outside
0
 
alanblockleyCommented:
What was the solution ?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.