Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
7
Replies

Static nat strangeness

Pete89
Level 2
Level 2

‎09-16-2009 11:11 AM - edited ‎03-09-2019 10:34 PM

OK here is the deal. I am testing for a setup I want to deploy for a client who needs to connect to our office.

What I want to do:

When hostX tries to connect to destination tcp port 9999 on the outside interface of my ASA5520 and then the traffic should be translated to port 3389 on my desktop. Pretty simple no??

Right now here is what is working:

1. From my desktop I can ping hostX

2. From Wireshark I can see the SYN packet come in, and the SYN ACK packet go out to hostX.

Here is whats not working.

1. The SYN ACK packet never gets to hostX.

2. The ASA is not logging any denied packets.

Questions

1. Can I assume all the NATing that needs to be done is OK since my ping to hostX is working.

2. I created access-lists for the outside interface. A static entry for the PAT. Am I missing anything???

Thanks,

Pete

Labels:
0 Helpful
7 Replies 7

Collin Clark
VIP Alumni
VIP Alumni

‎09-16-2009 12:07 PM

Pete-

1. No. PAT from inside to outside is working, but it doesn't look like it is the other way.

2. Do you have a static NAT for the service?

Can you post your config?

0 Helpful

Pete89
Level 2
Level 2
In response to Collin Clark

‎09-16-2009 12:28 PM

Pat,

Thanks for your reply!

Here is my static entry:

static (inside,outside) tcp interface 9999 172.16.5.133 3389 netmask 255.255.255.255

Like I said I see the first packet (SYN) come in from the Internet and get to 172.16.5.133 (my laptop). Then I see the SYN ACK going out from the laptop but it never gets to the Internet client. The I see a few RSTs as the Internet client tries again and again.

I can ping the Internet client from the laptop so for giggles I started netcat on the internet client on a high port and tried to connect from the laptop and NADA.....

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to Pete89

‎09-16-2009 12:34 PM

Do you see the SYN ACK go through the firewall (back out to the internet host)?

0 Helpful

Pete89
Level 2
Level 2
In response to Collin Clark

‎09-16-2009 12:35 PM

How could I do that?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to Pete89

‎09-16-2009 01:04 PM

I'm not sure if the log shows it, otherwise use the packet capture option.

http://analysisandreview.com/cisco/how-to-configure-a-packet-capture-in-the-cisco-asa/

0 Helpful

Pete89
Level 2
Level 2
In response to Collin Clark

‎09-16-2009 02:20 PM

This is getting stranger. I think someone else may be working on the ASA because I dont see packets coming anymore to the laptop. And in the logs I get:

No translation group found for tcp src outside:75.222.208.88/9999 dst inside:172.16.5.133/3389

The public address is my clients IP

What up??

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to Pete89

‎09-17-2009 05:31 AM

Definitely a NAT issue. You can see if others are in with the who command.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1634239

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents