ASA 5505 Port Forwarding

Cannot get RDP port forwarding working.  Setup NAT, setup Access.  When I look at logs I don't see any packets at all incoming to Outside interface.
Config.txt
icscomAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

max_the_kingCommented:
Hi,
i believe you cannot set the following access-list:

access-list outside_access_in extended permit tcp any any object-group TS

try and use this:
access-list outside_access_in extended permit tcp any <internal-ip-host> object-group TS

if it works, then you can create an object group (NOT any !!!) with the servers you want to rdp into.

hope this helps
max
0
icscomAuthor Commented:
Thanks for your reply.  I change ACL to:
access-list outside_access_in extended permit tcp any object SQL log debugging

No joy.  I don't see any hits on it when I try to RDP into the Outside IP.
0
max_the_kingCommented:
try this:

access-list outside_access_in extended permit tcp any host 10.200.201.153 log debugging
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

icscomAuthor Commented:
I replaced with:
access-list outside_access_in extended permit tcp any host 10.200.201.153 log debugging

Still no joy, and I don't see any packets hitting it.  Shouldn't I see at least my attempts?  It shows 0 Hits on firewall rule.
0
max_the_kingCommented:
yes you should.

have you done the NAT on 10.200.201.153 ?
0
icscomAuthor Commented:
Yes.
object network SQL
 nat (inside,outside) static interface service tcp 3389 3389
0
max_the_kingCommented:
well you have 2 objects contending a nat/access-list definition:

object network SQL_RDP
 host 10.200.201.153

object network SQL
 host 10.200.201.153

try and issue nat statement on RDP_static, like this:

object network SQL
no nat (inside,outside) static interface service tcp 3389 3389

clear xlate

object network SQL_RDP
nat (inside,outside) static interface service tcp 3389 3389

access-list outside_access_in extended permit tcp any host 10.200.201.153

and it should work.

max
0
icscomAuthor Commented:
Made recommended changes.  Still no joy:

object network SQL_RDP
 host 10.200.201.153
object-group service TS tcp
 port-object eq 3389
access-list outside_access_in extended permit tcp any host 10.200.201.153

nat (inside,any) source static obj-10.200.201.0 obj-10.200.201.0 destination static inside-marion inside-marion no-proxy-arp
nat (inside,outside) source static NETWORK_OBJ_10.200.201.0_24 NETWORK_OBJ_10.200.201.0_24 destination static inside-marion inside-marion no-proxy-arp route-lookup
nat (inside,outside) source static TR-Main-Subnet TR-Main-Subnet destination static TR-Marion-Subnet TR-Marion-Subnet no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.200.201.208_29 NETWORK_OBJ_10.200.201.208_29 no-proxy-arp route-lookup
nat (outside,outside) source dynamic any interface description Wireless
nat (inside,outside) source static NETWORK_OBJ_10.200.201.0_24 NETWORK_OBJ_10.200.201.0_24 destination static NETWORK_OBJ_10.10.10.0_27 NETWORK_OBJ_10.10.10.0_27 no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
object network SQL_RDP
 nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in in interface outside
0
max_the_kingCommented:
Hi,
sorry, i wrote an incomplete access-list, which should be:
access-list outside_access_in extended permit tcp any host 10.200.201.153 eq 3389

i'm pretty sure it is a matter of NAT, since you do not get any hitcount increment.
what i do not like (although cisco says it is no error) is the following:

object network obj_any
 nat (inside,outside) dynamic interface

So please try and NAT the specific subnet you want to have a dynamic NAT, ie.:

object network internal_LAN
subnet 10.200.201.0 255.255.255.0

object network internal_LAN
 nat (inside,outside) dynamic interface

and delete nat on obj_any, e.g.:
object network obj_any
 no nat (inside,outside) dynamic interface

do a clear xlate

please note that i'm assuming that all the rest (internet access, vpn, ...) is working fine.
I was wondering why you still have
dhcpd auto_config outside
in your config, which i believe you should delete should you have public static ip addressing

hope this helps
max
0
icscomAuthor Commented:
Max, thanks for your help.  Made recommended changes, still no joy.  All Internet and VPN are fine, just no PF.  Disable dhcpd also.


same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.200.201.0
 subnet 10.200.201.0 255.255.255.0
object network inside-marion
 subnet 10.200.203.0 255.255.255.0
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.200.201.0_24
 subnet 10.200.201.0 255.255.255.0
object network TR-Main-Subnet
 subnet 10.200.201.0 255.255.255.0
object network TR-Marion-Subnet
 subnet 10.200.203.0 255.255.255.0
object network NETWORK_OBJ_10.200.201.208_29
 subnet 10.200.201.208 255.255.255.248
object network PhoneVoiceMail
 subnet 10.1.10.0 255.255.255.252
object network SQL_RDP
 host 10.200.201.153
object network NETWORK_OBJ_10.10.10.0_27
 subnet 10.10.10.0 255.255.255.224
object network internal_LAN
 subnet 10.200.201.0 255.255.255.0
object-group service TS tcp
 port-object eq 3389
access-list outside_cryptomap extended permit ip 10.200.201.0 255.255.255.0 10.200.203.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.200.201.0 255.255.255.0 object inside-marion
access-list TR_splitTunnelAcl standard permit 10.200.201.0 255.255.255.0
access-list TR_splitTunnelAcl_1 standard permit 10.200.201.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface inside object-group TS


nat (inside,any) source static obj-10.200.201.0 obj-10.200.201.0 destination static inside-marion inside-marion no-proxy-arp
nat (inside,outside) source static NETWORK_OBJ_10.200.201.0_24 NETWORK_OBJ_10.200.201.0_24 destination static inside-marion inside-marion no-proxy-arp route-lookup
nat (inside,outside) source static TR-Main-Subnet TR-Main-Subnet destination static TR-Marion-Subnet TR-Marion-Subnet no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.200.201.208_29 NETWORK_OBJ_10.200.201.208_29 no-proxy-arp route-lookup
nat (outside,outside) source dynamic any interface description Wireless
nat (inside,outside) source static NETWORK_OBJ_10.200.201.0_24 NETWORK_OBJ_10.200.201.0_24 destination static NETWORK_OBJ_10.10.10.0_27 NETWORK_OBJ_10.10.10.0_27 no-proxy-arp route-lookup
!
object network SQL_RDP
 nat (inside,outside) static interface service tcp 3389 3389
object network internal_LAN
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
0
max_the_kingCommented:
The access-list is wrong !
You need to set:
Access-list outside_ access_in permit tcp any host 10.200.201.153 eq 3389
Because the access-lista must be applied on the real IP, not the natted IP.

Max
0
icscomAuthor Commented:
OK.  Made change to:

access-list outside_access_in extended permit tcp any host 10.200.201.153 eq 3389

It still doesn't show any hits on the Rule when I try to come in.  Maybe it needs an old fashioned re-boot, which I will try this weekend.
0
icscomAuthor Commented:
Just an update.  Rebooting did not change behavior.
0
icscomAuthor Commented:
I connected a laptop with IP in same range as Outside interface.  I could ping Outside interface okay, but was still unable to reach RDP.  I just wanted to make sure there wasn't anything fishy with ISP.  Here is config:

object network SQL_RDP
 host 10.200.201.153
object service RDP
 service tcp destination eq 3389

access-list outside_access_in extended permit object RDP any object SQL_RDP


nat (inside,outside) source static Taprite-Main-Subnet Taprite-Main-Subnet destination static Taprite-Marion-Subnet Taprite-Marion-Subnet no-proxy-arp route-lookup
nat (outside,outside) source dynamic any interface description Wireless
!
object network SQL_RDP
 nat (inside,outside) static interface service tcp 3389 3389
object network internal_LAN
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
0
max_the_kingCommented:
hi,
this one is wrong ! access-list outside_access_in extended permit object RDP any object SQL_RDP

try the access-list i wrote in a previous post
access-list outside_access_in extended permit tcp any host 10.200.201.153 eq 3389

max
0
icscomAuthor Commented:
Yes, we tried that before.  I have put it back in, but there is no access.

access-list outside_access_in extended permit tcp any host 10.200.201.153 eq 3389

nat (inside,outside) source static Taprite-Main-Subnet Taprite-Main-Subnet destination static Taprite-Marion-Subnet Taprite-Marion-Subnet no-proxy-arp route-lookup
nat (outside,outside) source dynamic any interface description Wireless
!
object network SQL_RDP
 nat (inside,outside) static interface service tcp 3389 3389
object network internal_LAN
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
0
icscomAuthor Commented:
We paid Cisco to look at it.  They moved the statement "nat (outside,outside) source dynamic any interface description Wireless" to a different order and it started working.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
icscomAuthor Commented:
We had to pay Cisco to solve it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.