?
Solved

Problem with Nat Cisco ASA 5505

Posted on 2009-07-06
5
Medium Priority
?
499 Views
Last Modified: 2012-05-07
I have a problem with a cisco asa 5505. I can´t make nat.  i have 12 public ip´s. I want to make a nat to a 3389 port from one of the 12 ip. for examle. for my public ip "84.xxx.xxx.197" nat to 3389 in 192.169.10.10

      
attached word document with screenshots (images) of the configuration

thaks a lot!




: Saved
:
ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 2 encrypted
passwd 2OU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 84.999.999.194 255.255.255.240 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.12.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip any any 
access-list outside_access_in extended permit tcp any interface outside eq 3389 
access-list INSIDE_ACL_OUT extended permit ip any any 
access-list 100 extended permit tcp any any eq 3389 
access-list inside_access_in extended permit ip any any 
access-list inbound extended permit tcp any interface outside eq 3389 
access-list RDP extended permit tcp any interface outside eq 3389 log 
access-list RDP extended permit tcp interface outside interface inside eq 3389 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool pool1 192.168.10.70-192.168.10.75 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 84.xxx.xxx.195-84.xxx.xxx.206 netmask 255.255.255.240
nat (inside) 1 192.168.10.0 255.255.255.0
static (outside,inside) tcp interface 3389 192.168.10.10 3389 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 84.xx.xxx.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 84.XXX.XXX.194 255.255.255.255 outside
http 192.168.10.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.10.90-192.168.10.100 inside
dhcpd dns 154.15.255.134 154.15.255.130 interface inside
dhcpd enable inside
!
 
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 vpn-tunnel-protocol l2tp-ipsec 
username javi password IlgpTNaSWRdb/oYPeip5kg== nt-encrypted privilege 0
username javi attributes
 vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
 address-pool pool1
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group 89.131.198.96 type ipsec-l2l
tunnel-group 89.131.198.96 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:6e72fb0b5c6fe3eef9d9e68f33ef634e
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Open in new window

0
Comment
Question by:rauljimenez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 13

Accepted Solution

by:
3nerds earned 2000 total points
ID: 24785510
Your static is backwards:
static (outside,inside) tcp interface 3389 192.168.10.10 3389 netmask 255.255.255.255

needs to be this:

static (inside,outside) tcp interface 3389 192.168.10.10 3389 netmask 255.255.255.255

Your acl looks to be correct though.

Good Luck,

3nerds
0
 
LVL 8

Expert Comment

by:wiscom
ID: 24792368
Hello,

Here is the solution:
First, Clean your config

NO access-list outside_access_in extended permit ip any any
NO access-list outside_access_in extended permit tcp any interface outside eq 3389
NO access-list INSIDE_ACL_OUT extended permit ip any any
NO access-list 100 extended permit tcp any any eq 3389
NO access-list inside_access_in extended permit ip any any
NO access-list inbound extended permit tcp any interface outside eq 3389
No access-list RDP extended permit tcp any interface outside eq 3389 log
NO access-list RDP extended permit tcp interface outside interface inside eq
!
NO access-group inside_access_in in interface inside
!
NO access-group 100 in interface outside
!
access-list outside-entry-RDP extended permit tcp any host 84.x.x.197 eq 3389
!
static (inside,outside) tcp 84.x.x.197 3389 192.168.10.10 3389 netmask 255.255.255.255
!
access-group outside-entry-RDP in interface outside
!
end

0
 
LVL 13

Expert Comment

by:3nerds
ID: 24794262
Wow I am impressed, well not really but what wiscom has stated will work and would clean the config up as he put it. I prefer not to assume that I know your environment as well as you do and to tell you the pieces that are missing or wrong without making you change everything else.

Good Luck,

3nerds
0
 

Author Closing Comment

by:rauljimenez
ID: 31600170
Thanks, my config now is ok, y had two problems:one was the problem you say  and the other was in the server in the server, the defautl GW was wrong . Thanks a lot!!
0
 
LVL 8

Expert Comment

by:wiscom
ID: 24813007
Hi,
ACK
Points = 3ners = True
ENTER

A/
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month10 days, 20 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question