Static nat strangeness

Unanswered Question
Sep 16th, 2009
User Badges:

OK here is the deal. I am testing for a setup I want to deploy for a client who needs to connect to our office.


What I want to do:


When hostX tries to connect to destination tcp port 9999 on the outside interface of my ASA5520 and then the traffic should be translated to port 3389 on my desktop. Pretty simple no??


Right now here is what is working:


1. From my desktop I can ping hostX

2. From Wireshark I can see the SYN packet come in, and the SYN ACK packet go out to hostX.


Here is whats not working.


1. The SYN ACK packet never gets to hostX.

2. The ASA is not logging any denied packets.


Questions


1. Can I assume all the NATing that needs to be done is OK since my ping to hostX is working.

2. I created access-lists for the outside interface. A static entry for the PAT. Am I missing anything???


Thanks,


Pete

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Wed, 09/16/2009 - 12:07
User Badges:
  • Purple, 4500 points or more

Pete-


1. No. PAT from inside to outside is working, but it doesn't look like it is the other way.


2. Do you have a static NAT for the service?


Can you post your config?

pener1963 Wed, 09/16/2009 - 12:28
User Badges:

Pat,


Thanks for your reply!


Here is my static entry:


static (inside,outside) tcp interface 9999 172.16.5.133 3389 netmask 255.255.255.255


Like I said I see the first packet (SYN) come in from the Internet and get to 172.16.5.133 (my laptop). Then I see the SYN ACK going out from the laptop but it never gets to the Internet client. The I see a few RSTs as the Internet client tries again and again.


I can ping the Internet client from the laptop so for giggles I started netcat on the internet client on a high port and tried to connect from the laptop and NADA.....

Collin Clark Wed, 09/16/2009 - 12:34
User Badges:
  • Purple, 4500 points or more

Do you see the SYN ACK go through the firewall (back out to the internet host)?

pener1963 Wed, 09/16/2009 - 14:20
User Badges:

This is getting stranger. I think someone else may be working on the ASA because I dont see packets coming anymore to the laptop. And in the logs I get:


No translation group found for tcp src outside:75.222.208.88/9999 dst inside:172.16.5.133/3389


The public address is my clients IP


What up??

Actions

This Discussion