Solved

Problem with Nat Cisco ASA 5505

Posted on 2009-07-06
5
492 Views
Last Modified: 2012-05-07
I have a problem with a cisco asa 5505. I can´t make nat.  i have 12 public ip´s. I want to make a nat to a 3389 port from one of the 12 ip. for examle. for my public ip "84.xxx.xxx.197" nat to 3389 in 192.169.10.10

      
attached word document with screenshots (images) of the configuration

thaks a lot!




: Saved

:

ASA Version 7.2(4) 

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 2 encrypted

passwd 2OU encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.10.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 84.999.999.194 255.255.255.240 

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address 192.168.12.1 255.255.255.0 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

 switchport access vlan 3

!

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit ip any any 

access-list outside_access_in extended permit tcp any interface outside eq 3389 

access-list INSIDE_ACL_OUT extended permit ip any any 

access-list 100 extended permit tcp any any eq 3389 

access-list inside_access_in extended permit ip any any 

access-list inbound extended permit tcp any interface outside eq 3389 

access-list RDP extended permit tcp any interface outside eq 3389 log 

access-list RDP extended permit tcp interface outside interface inside eq 3389 

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool pool1 192.168.10.70-192.168.10.75 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 84.xxx.xxx.195-84.xxx.xxx.206 netmask 255.255.255.240

nat (inside) 1 192.168.10.0 255.255.255.0

static (outside,inside) tcp interface 3389 192.168.10.10 3389 netmask 255.255.255.255 

access-group inside_access_in in interface inside

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 84.xx.xxx.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 84.XXX.XXX.194 255.255.255.255 outside

http 192.168.10.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.10.90-192.168.10.100 inside

dhcpd dns 154.15.255.134 154.15.255.130 interface inside

dhcpd enable inside

!
 

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 vpn-tunnel-protocol l2tp-ipsec 

username javi password IlgpTNaSWRdb/oYPeip5kg== nt-encrypted privilege 0

username javi attributes

 vpn-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup general-attributes

 address-pool pool1

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group 89.131.198.96 type ipsec-l2l

tunnel-group 89.131.198.96 ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:6e72fb0b5c6fe3eef9d9e68f33ef634e

: end

asdm image disk0:/asdm-524.bin

no asdm history enable

Open in new window

0
Comment
Question by:rauljimenez
  • 2
  • 2
5 Comments
 
LVL 13

Accepted Solution

by:
3nerds earned 500 total points
Comment Utility
Your static is backwards:
static (outside,inside) tcp interface 3389 192.168.10.10 3389 netmask 255.255.255.255

needs to be this:

static (inside,outside) tcp interface 3389 192.168.10.10 3389 netmask 255.255.255.255

Your acl looks to be correct though.

Good Luck,

3nerds
0
 
LVL 8

Expert Comment

by:wiscom
Comment Utility
Hello,

Here is the solution:
First, Clean your config

NO access-list outside_access_in extended permit ip any any
NO access-list outside_access_in extended permit tcp any interface outside eq 3389
NO access-list INSIDE_ACL_OUT extended permit ip any any
NO access-list 100 extended permit tcp any any eq 3389
NO access-list inside_access_in extended permit ip any any
NO access-list inbound extended permit tcp any interface outside eq 3389
No access-list RDP extended permit tcp any interface outside eq 3389 log
NO access-list RDP extended permit tcp interface outside interface inside eq
!
NO access-group inside_access_in in interface inside
!
NO access-group 100 in interface outside
!
access-list outside-entry-RDP extended permit tcp any host 84.x.x.197 eq 3389
!
static (inside,outside) tcp 84.x.x.197 3389 192.168.10.10 3389 netmask 255.255.255.255
!
access-group outside-entry-RDP in interface outside
!
end

0
 
LVL 13

Expert Comment

by:3nerds
Comment Utility
Wow I am impressed, well not really but what wiscom has stated will work and would clean the config up as he put it. I prefer not to assume that I know your environment as well as you do and to tell you the pieces that are missing or wrong without making you change everything else.

Good Luck,

3nerds
0
 

Author Closing Comment

by:rauljimenez
Comment Utility
Thanks, my config now is ok, y had two problems:one was the problem you say  and the other was in the server in the server, the defautl GW was wrong . Thanks a lot!!
0
 
LVL 8

Expert Comment

by:wiscom
Comment Utility
Hi,
ACK
Points = 3ners = True
ENTER

A/
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now