icscom
asked on
ASA 5505 Port Forwarding
Cannot get RDP port forwarding working. Setup NAT, setup Access. When I look at logs I don't see any packets at all incoming to Outside interface.
Config.txt
Config.txt
ASKER
Thanks for your reply. I change ACL to:
access-list outside_access_in extended permit tcp any object SQL log debugging
No joy. I don't see any hits on it when I try to RDP into the Outside IP.
access-list outside_access_in extended permit tcp any object SQL log debugging
No joy. I don't see any hits on it when I try to RDP into the Outside IP.
try this:
access-list outside_access_in extended permit tcp any host 10.200.201.153 log debugging
access-list outside_access_in extended permit tcp any host 10.200.201.153 log debugging
ASKER
I replaced with:
access-list outside_access_in extended permit tcp any host 10.200.201.153 log debugging
Still no joy, and I don't see any packets hitting it. Shouldn't I see at least my attempts? It shows 0 Hits on firewall rule.
access-list outside_access_in extended permit tcp any host 10.200.201.153 log debugging
Still no joy, and I don't see any packets hitting it. Shouldn't I see at least my attempts? It shows 0 Hits on firewall rule.
yes you should.
have you done the NAT on 10.200.201.153 ?
have you done the NAT on 10.200.201.153 ?
ASKER
Yes.
object network SQL
nat (inside,outside) static interface service tcp 3389 3389
object network SQL
nat (inside,outside) static interface service tcp 3389 3389
well you have 2 objects contending a nat/access-list definition:
object network SQL_RDP
host 10.200.201.153
object network SQL
host 10.200.201.153
try and issue nat statement on RDP_static, like this:
object network SQL
no nat (inside,outside) static interface service tcp 3389 3389
clear xlate
object network SQL_RDP
nat (inside,outside) static interface service tcp 3389 3389
access-list outside_access_in extended permit tcp any host 10.200.201.153
and it should work.
max
object network SQL_RDP
host 10.200.201.153
object network SQL
host 10.200.201.153
try and issue nat statement on RDP_static, like this:
object network SQL
no nat (inside,outside) static interface service tcp 3389 3389
clear xlate
object network SQL_RDP
nat (inside,outside) static interface service tcp 3389 3389
access-list outside_access_in extended permit tcp any host 10.200.201.153
and it should work.
max
ASKER
Made recommended changes. Still no joy:
object network SQL_RDP
host 10.200.201.153
object-group service TS tcp
port-object eq 3389
access-list outside_access_in extended permit tcp any host 10.200.201.153
nat (inside,any) source static obj-10.200.201.0 obj-10.200.201.0 destination static inside-marion inside-marion no-proxy-arp
nat (inside,outside) source static NETWORK_OBJ_10.200.201.0_2 4 NETWORK_OBJ_10.200.201.0_2 4 destination static inside-marion inside-marion no-proxy-arp route-lookup
nat (inside,outside) source static TR-Main-Subnet TR-Main-Subnet destination static TR-Marion-Subnet TR-Marion-Subnet no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.200.201.208 _29 NETWORK_OBJ_10.200.201.208 _29 no-proxy-arp route-lookup
nat (outside,outside) source dynamic any interface description Wireless
nat (inside,outside) source static NETWORK_OBJ_10.200.201.0_2 4 NETWORK_OBJ_10.200.201.0_2 4 destination static NETWORK_OBJ_10.10.10.0_27 NETWORK_OBJ_10.10.10.0_27 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network SQL_RDP
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in in interface outside
object network SQL_RDP
host 10.200.201.153
object-group service TS tcp
port-object eq 3389
access-list outside_access_in extended permit tcp any host 10.200.201.153
nat (inside,any) source static obj-10.200.201.0 obj-10.200.201.0 destination static inside-marion inside-marion no-proxy-arp
nat (inside,outside) source static NETWORK_OBJ_10.200.201.0_2
nat (inside,outside) source static TR-Main-Subnet TR-Main-Subnet destination static TR-Marion-Subnet TR-Marion-Subnet no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.200.201.208
nat (outside,outside) source dynamic any interface description Wireless
nat (inside,outside) source static NETWORK_OBJ_10.200.201.0_2
!
object network obj_any
nat (inside,outside) dynamic interface
object network SQL_RDP
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in in interface outside
Hi,
sorry, i wrote an incomplete access-list, which should be:
access-list outside_access_in extended permit tcp any host 10.200.201.153 eq 3389
i'm pretty sure it is a matter of NAT, since you do not get any hitcount increment.
what i do not like (although cisco says it is no error) is the following:
object network obj_any
nat (inside,outside) dynamic interface
So please try and NAT the specific subnet you want to have a dynamic NAT, ie.:
object network internal_LAN
subnet 10.200.201.0 255.255.255.0
object network internal_LAN
nat (inside,outside) dynamic interface
and delete nat on obj_any, e.g.:
object network obj_any
no nat (inside,outside) dynamic interface
do a clear xlate
please note that i'm assuming that all the rest (internet access, vpn, ...) is working fine.
I was wondering why you still have
dhcpd auto_config outside
in your config, which i believe you should delete should you have public static ip addressing
hope this helps
max
sorry, i wrote an incomplete access-list, which should be:
access-list outside_access_in extended permit tcp any host 10.200.201.153 eq 3389
i'm pretty sure it is a matter of NAT, since you do not get any hitcount increment.
what i do not like (although cisco says it is no error) is the following:
object network obj_any
nat (inside,outside) dynamic interface
So please try and NAT the specific subnet you want to have a dynamic NAT, ie.:
object network internal_LAN
subnet 10.200.201.0 255.255.255.0
object network internal_LAN
nat (inside,outside) dynamic interface
and delete nat on obj_any, e.g.:
object network obj_any
no nat (inside,outside) dynamic interface
do a clear xlate
please note that i'm assuming that all the rest (internet access, vpn, ...) is working fine.
I was wondering why you still have
dhcpd auto_config outside
in your config, which i believe you should delete should you have public static ip addressing
hope this helps
max
ASKER
Max, thanks for your help. Made recommended changes, still no joy. All Internet and VPN are fine, just no PF. Disable dhcpd also.
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.200.201.0
subnet 10.200.201.0 255.255.255.0
object network inside-marion
subnet 10.200.203.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.200.201.0_2 4
subnet 10.200.201.0 255.255.255.0
object network TR-Main-Subnet
subnet 10.200.201.0 255.255.255.0
object network TR-Marion-Subnet
subnet 10.200.203.0 255.255.255.0
object network NETWORK_OBJ_10.200.201.208 _29
subnet 10.200.201.208 255.255.255.248
object network PhoneVoiceMail
subnet 10.1.10.0 255.255.255.252
object network SQL_RDP
host 10.200.201.153
object network NETWORK_OBJ_10.10.10.0_27
subnet 10.10.10.0 255.255.255.224
object network internal_LAN
subnet 10.200.201.0 255.255.255.0
object-group service TS tcp
port-object eq 3389
access-list outside_cryptomap extended permit ip 10.200.201.0 255.255.255.0 10.200.203.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.200.201.0 255.255.255.0 object inside-marion
access-list TR_splitTunnelAcl standard permit 10.200.201.0 255.255.255.0
access-list TR_splitTunnelAcl_1 standard permit 10.200.201.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface inside object-group TS
nat (inside,any) source static obj-10.200.201.0 obj-10.200.201.0 destination static inside-marion inside-marion no-proxy-arp
nat (inside,outside) source static NETWORK_OBJ_10.200.201.0_2 4 NETWORK_OBJ_10.200.201.0_2 4 destination static inside-marion inside-marion no-proxy-arp route-lookup
nat (inside,outside) source static TR-Main-Subnet TR-Main-Subnet destination static TR-Marion-Subnet TR-Marion-Subnet no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.200.201.208 _29 NETWORK_OBJ_10.200.201.208 _29 no-proxy-arp route-lookup
nat (outside,outside) source dynamic any interface description Wireless
nat (inside,outside) source static NETWORK_OBJ_10.200.201.0_2 4 NETWORK_OBJ_10.200.201.0_2 4 destination static NETWORK_OBJ_10.10.10.0_27 NETWORK_OBJ_10.10.10.0_27 no-proxy-arp route-lookup
!
object network SQL_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network internal_LAN
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.200.201.0
subnet 10.200.201.0 255.255.255.0
object network inside-marion
subnet 10.200.203.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.200.201.0_2
subnet 10.200.201.0 255.255.255.0
object network TR-Main-Subnet
subnet 10.200.201.0 255.255.255.0
object network TR-Marion-Subnet
subnet 10.200.203.0 255.255.255.0
object network NETWORK_OBJ_10.200.201.208
subnet 10.200.201.208 255.255.255.248
object network PhoneVoiceMail
subnet 10.1.10.0 255.255.255.252
object network SQL_RDP
host 10.200.201.153
object network NETWORK_OBJ_10.10.10.0_27
subnet 10.10.10.0 255.255.255.224
object network internal_LAN
subnet 10.200.201.0 255.255.255.0
object-group service TS tcp
port-object eq 3389
access-list outside_cryptomap extended permit ip 10.200.201.0 255.255.255.0 10.200.203.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.200.201.0 255.255.255.0 object inside-marion
access-list TR_splitTunnelAcl standard permit 10.200.201.0 255.255.255.0
access-list TR_splitTunnelAcl_1 standard permit 10.200.201.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface inside object-group TS
nat (inside,any) source static obj-10.200.201.0 obj-10.200.201.0 destination static inside-marion inside-marion no-proxy-arp
nat (inside,outside) source static NETWORK_OBJ_10.200.201.0_2
nat (inside,outside) source static TR-Main-Subnet TR-Main-Subnet destination static TR-Marion-Subnet TR-Marion-Subnet no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.200.201.208
nat (outside,outside) source dynamic any interface description Wireless
nat (inside,outside) source static NETWORK_OBJ_10.200.201.0_2
!
object network SQL_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network internal_LAN
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
The access-list is wrong !
You need to set:
Access-list outside_ access_in permit tcp any host 10.200.201.153 eq 3389
Because the access-lista must be applied on the real IP, not the natted IP.
Max
You need to set:
Access-list outside_ access_in permit tcp any host 10.200.201.153 eq 3389
Because the access-lista must be applied on the real IP, not the natted IP.
Max
ASKER
OK. Made change to:
access-list outside_access_in extended permit tcp any host 10.200.201.153 eq 3389
It still doesn't show any hits on the Rule when I try to come in. Maybe it needs an old fashioned re-boot, which I will try this weekend.
access-list outside_access_in extended permit tcp any host 10.200.201.153 eq 3389
It still doesn't show any hits on the Rule when I try to come in. Maybe it needs an old fashioned re-boot, which I will try this weekend.
ASKER
Just an update. Rebooting did not change behavior.
ASKER
I connected a laptop with IP in same range as Outside interface. I could ping Outside interface okay, but was still unable to reach RDP. I just wanted to make sure there wasn't anything fishy with ISP. Here is config:
object network SQL_RDP
host 10.200.201.153
object service RDP
service tcp destination eq 3389
access-list outside_access_in extended permit object RDP any object SQL_RDP
nat (inside,outside) source static Taprite-Main-Subnet Taprite-Main-Subnet destination static Taprite-Marion-Subnet Taprite-Marion-Subnet no-proxy-arp route-lookup
nat (outside,outside) source dynamic any interface description Wireless
!
object network SQL_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network internal_LAN
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
object network SQL_RDP
host 10.200.201.153
object service RDP
service tcp destination eq 3389
access-list outside_access_in extended permit object RDP any object SQL_RDP
nat (inside,outside) source static Taprite-Main-Subnet Taprite-Main-Subnet destination static Taprite-Marion-Subnet Taprite-Marion-Subnet no-proxy-arp route-lookup
nat (outside,outside) source dynamic any interface description Wireless
!
object network SQL_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network internal_LAN
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
hi,
this one is wrong ! access-list outside_access_in extended permit object RDP any object SQL_RDP
try the access-list i wrote in a previous post
access-list outside_access_in extended permit tcp any host 10.200.201.153 eq 3389
max
this one is wrong ! access-list outside_access_in extended permit object RDP any object SQL_RDP
try the access-list i wrote in a previous post
access-list outside_access_in extended permit tcp any host 10.200.201.153 eq 3389
max
ASKER
Yes, we tried that before. I have put it back in, but there is no access.
access-list outside_access_in extended permit tcp any host 10.200.201.153 eq 3389
nat (inside,outside) source static Taprite-Main-Subnet Taprite-Main-Subnet destination static Taprite-Marion-Subnet Taprite-Marion-Subnet no-proxy-arp route-lookup
nat (outside,outside) source dynamic any interface description Wireless
!
object network SQL_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network internal_LAN
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any host 10.200.201.153 eq 3389
nat (inside,outside) source static Taprite-Main-Subnet Taprite-Main-Subnet destination static Taprite-Marion-Subnet Taprite-Marion-Subnet no-proxy-arp route-lookup
nat (outside,outside) source dynamic any interface description Wireless
!
object network SQL_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network internal_LAN
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We had to pay Cisco to solve it.
i believe you cannot set the following access-list:
access-list outside_access_in extended permit tcp any any object-group TS
try and use this:
access-list outside_access_in extended permit tcp any <internal-ip-host> object-group TS
if it works, then you can create an object group (NOT any !!!) with the servers you want to rdp into.
hope this helps
max