09-16-2009 11:11 AM - edited 03-09-2019 10:34 PM
OK here is the deal. I am testing for a setup I want to deploy for a client who needs to connect to our office.
What I want to do:
When hostX tries to connect to destination tcp port 9999 on the outside interface of my ASA5520 and then the traffic should be translated to port 3389 on my desktop. Pretty simple no??
Right now here is what is working:
1. From my desktop I can ping hostX
2. From Wireshark I can see the SYN packet come in, and the SYN ACK packet go out to hostX.
Here is whats not working.
1. The SYN ACK packet never gets to hostX.
2. The ASA is not logging any denied packets.
Questions
1. Can I assume all the NATing that needs to be done is OK since my ping to hostX is working.
2. I created access-lists for the outside interface. A static entry for the PAT. Am I missing anything???
Thanks,
Pete
09-16-2009 12:07 PM
Pete-
1. No. PAT from inside to outside is working, but it doesn't look like it is the other way.
2. Do you have a static NAT for the service?
Can you post your config?
09-16-2009 12:28 PM
Pat,
Thanks for your reply!
Here is my static entry:
static (inside,outside) tcp interface 9999 172.16.5.133 3389 netmask 255.255.255.255
Like I said I see the first packet (SYN) come in from the Internet and get to 172.16.5.133 (my laptop). Then I see the SYN ACK going out from the laptop but it never gets to the Internet client. The I see a few RSTs as the Internet client tries again and again.
I can ping the Internet client from the laptop so for giggles I started netcat on the internet client on a high port and tried to connect from the laptop and NADA.....
09-16-2009 12:34 PM
Do you see the SYN ACK go through the firewall (back out to the internet host)?
09-16-2009 12:35 PM
How could I do that?
09-16-2009 01:04 PM
I'm not sure if the log shows it, otherwise use the packet capture option.
http://analysisandreview.com/cisco/how-to-configure-a-packet-capture-in-the-cisco-asa/
09-16-2009 02:20 PM
This is getting stranger. I think someone else may be working on the ASA because I dont see packets coming anymore to the laptop. And in the logs I get:
No translation group found for tcp src outside:75.222.208.88/9999 dst inside:172.16.5.133/3389
The public address is my clients IP
What up??
09-17-2009 05:31 AM
Definitely a NAT issue. You can see if others are in with the who command.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1634239
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: