Need Help with port forwarding on pix 501

Unanswered Question
May 23rd, 2010
User Badges:

Just testing RDP right now and it goes no where.  Not sure which it is either nat or acl that are messed up



interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname cisco

domain-name cisco.org

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69
             
names

name 4.3.2.1 server1

name 4.3.2.2 server2

name 4.3.2.3 server3

name 1.2.3.5 server4

name 4.3.2.5 server5

object-group network servers

  network-object server1 255.255.255.255

  network-object server2 255.255.255.255

  network-object server3 255.255.255.255

access-list outside_access_in permit tcp host server1 eq 3389 interface outside eq 3389

access-list outside_access_in permit tcp host server2 eq 1433 interface outside eq 1433

access-list outside_access_in permit tcp host server3 eq 1433 interface outside eq 1433

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside 6.7.8.9 255.255.255.192

ip address inside 1.2.3.4 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location server1 255.255.255.255 outside

pdm location server2 255.255.255.255 outside

pdm location server3 255.255.255.255 outside  
pdm location server4 255.255.255.255 inside

pdm location server5 255.255.255.255 outside

pdm group servers outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface outside 1433 server4 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface outside 3389 server4 3389 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 1.2.4.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local
http server enable

http 1.2.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 1.2.3.10-1.2.3.20 inside

dhcpd dns 1.2.4.2 1.2.4.3

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pciaccio Sun, 05/23/2010 - 16:11
User Badges:
  • Silver, 250 points or more

This is just an assumption, however shouldn't your default route point to 1.2.3.1 instead of 1.2.4.1 ??  If your default route is setup wrong you will not get out the door to talk to any external address...

shanetapper Sun, 05/23/2010 - 16:16
User Badges:

thanks for  the follow up i appreciate it.  that may have been my mistyping when trying to change ip addresses.  it has something to do with rdp needing to use something other than 3389.  Graninting access to the all ports to the specific ip address and it works fine.  Now I just need to determine exactly what ports need to be opened up but things are working ok now just not good.

pciaccio Sun, 05/23/2010 - 18:02
User Badges:
  • Silver, 250 points or more

The RDP port number is correct.  I would try restructuring your access-list.


You have:


access-list outside_access_in permit tcp host server1 eq 3389 interface outside eq 3389


Try it


access-list outside_access_in permit  any host server1 eq 3389


I suggest this because your access-list is applied to the traffic inbound.  This new line will allow anyone to communicate to Server1 only through TCP port 3389...

shanetapper Mon, 05/24/2010 - 04:53
User Badges:

you are correct that would open up to the entire world but that does not resolve the issue.  if i can open up all the ports yet keep it limited to the same handful of ips it is a port issue that is preventing things from getting across....or possibly just one of the random pix nuances

pciaccio Mon, 05/24/2010 - 05:31
User Badges:
  • Silver, 250 points or more

You need to be more descriptive in what is happening..


1) Who is initiating the RDP session. Inside svr to outside or outside to inside?  Is the remote svr allowing RDP sessions from your subnet?


2) Are all the svrs seeing the same symptom or just one of them?


3) Did you try chscking the access-lists to see if they are getting any hits on them?


4) Did you try debugging for specific packets and verify that you are natting correctly?


5) Is the RDP session giving you an error?  Did you check the logs off the ASA, Are they providing information about your session?

shanetapper Mon, 05/24/2010 - 05:40
User Badges:

1) Who is initiating the RDP session. Inside svr to outside or outside to inside?  Is the remote svr allowing RDP sessions from your subnet?

       All outside, yes as stated things are working when opening all ports to the specific ip address




2) Are all the svrs seeing the same symptom or just one of them?

        Only testing on a single server I have control of


3) Did you try chscking the access-lists to see if they are getting any hits on them?

         i can look into this


4) Did you try debugging for specific packets and verify that you are natting correctly?

          i did not but believe natting to be correct, do you believe its incorrect based on the above config


5) Is the RDP session giving you an error?  Did you check the logs off the ASA, Are they providing information about your session?

          no errors on rdp session just does not connect


Leaving the config as is except for allowing all ports instead of just 3389.  Everything works wonderfully can pull up rdp and connect.

Leaving the config as is with just 3389 rdp does not connect at all.

pciaccio Mon, 05/24/2010 - 05:54
User Badges:
  • Silver, 250 points or more

I would then get the global natted outside address of your remote svrs that are

initiating the RDP session. Place them into your access-list

And change the ACL like I suggested earlier but this time place the global outside address on the ACL to be more specific instead of ANY...  This will allow just the specific host(s) that you want in and using only the RDP port...

shanetapper Mon, 05/24/2010 - 06:06
User Badges:

you are confusing me so essentially you are asking me to enter statements like i had on the first go at things


access-list outside_access_in permit tcp host server1 eq 3389 interface outside eq 3389

access-list outside_access_in permit tcp host server2 eq 1433 interface outside eq 1433

access-list outside_access_in permit tcp host server3 eq 1433 interface outside eq 1433


when testing things i had added a second line of

access-list outside_access_in permit tcp host testserver eq 3389 interface outside eq 3389


sorry i am a little lost

pciaccio Mon, 05/24/2010 - 07:35
User Badges:
  • Silver, 250 points or more

What did the logs and acl hits tell you??


One thing I would do is change your acl from

access-list outside_access_in permit tcp host server1 eq 3389 interface outside eq 3389

access-list outside_access_in permit tcp host server2 eq 1433 interface outside eq 1433

access-list outside_access_in permit tcp host server3 eq 1433 interface outside eq 1433


to


access-list outside_access_in permit tcp host server1 interface outside eq 3389

access-list outside_access_in permit tcp host server2 interface outside eq 1433

access-list outside_access_in permit tcp host server3 interface outside eq 1433


If that does not work, then I would do a debug ip packet (make sure no other traffic is going through the firewall). then look over all the debugs to see what is happening.  Are these remote servers being natted?  Are you possibly seeing a TCP fragmentation issue where the RDP session never completes?  How do you fail on the RDP session. Does the program open the remote window or are you being prompted with an error immediately?  does the session allow you to log onto it or does it stop you there??


Either way I would stick with the Debugs. thats the best way to determine what and where your issue lies....

cofiguar1 Mon, 05/24/2010 - 15:29
User Badges:

Assuming that you outside IP address is

ip address outside 6.7.8.9 255.255.255.192


access-list outside_access_in permit tcp any host 6.7.8.9 eq 3389


static (inside,outside) tcp 6.7.8.9 3389 server4 3389 netmask 255.255.255.255


access-group outside_access_in in interface outside


clear xlate

Actions

This Discussion