×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5505 won't pass ports through fw/NAT

Unanswered Question
Nov 16th, 2011
User Badges:

We're trying to get a remote access setup for someone who needs to have access from offsite. To make things easy we set it up with a virtual machine running Windows 7 and RDP. Because the "other end" isn't our computer and we've had some difficulties with people using the Cisco VPN client successfully, we were just going to set up a machine as a RDP Gateway and forward the port through the firewall (WebVPN might be nice, but the plugins only do RDP through v5.x). I've tried this on 8.4-1 and after reinstalling the latest 8.2, and supposedly the NAT works and there is a firewall rule allowing access from the outside to the RD-GW server on HTTPS, but the ASA is still blocking those packets. I've looked at 4 howtos and followed them, trying from the console and from ADSM (and one trashed the whole setup, probably related to the reinstall of 8.2) - what am I doing wrong?


Thank you!


Config:

Result of the command: "show config"

: Saved
: Written by enable_15 at 02:42:50.752 UTC Thu Nov 17 2011
!
ASA Version 8.4(2)
!
hostname g(...)

domain-name vinemapleplace.org
enable password (...) encrypted
passwd (...) encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 173.10.100.2 255.255.255.248
!
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 68.87.69.146
domain-name vinemapleplace.org
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network VMP-RA1
host 192.168.0.a
description VMP-RA1 INSIDE
object network VMP-RA1P
host 173.10.b.c
description VMP-RA3 OUTSIDE
object network mail.vinemapleplace.org
host 207.97.d.e
description mail server at CWW
object network VMPDC2
host 192.168.0.f
description Secondary DC/Remote Access Gateway
object network VMPDC2P
host 173.10.g.h
description VMPDC2 public IP
object-group service RDP tcp
description MS RDP service
port-object eq 3389
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_2 tcp
port-object eq imap4
port-object eq pop2
port-object eq pop3
port-object eq smtp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access extended permit tcp any object VMPDC2 eq https
access-list outside_access extended permit tcp any object VMP-RA1 object-group RDP inactive
access-list inside_access_in remark DNS
access-list inside_access_in extended permit object-group TCPUDP any any eq domain
access-list inside_access_in remark FTP
access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit tcp any any eq hostname
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit tcp any any eq ssh
access-list inside_access_in extended permit udp any any eq ntp
access-list inside_access_in extended permit object-group TCPUDP any any eq echo
access-list inside_access_in extended permit udp any any eq nameserver
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit tcp any object mail.vinemapleplace.org object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit tcp any any object-group RDP
access-list inside_access_in extended permit ip any any inactive
access-list global_access extended permit tcp any object VMP-RA1 object-group RDP inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network VMP-RA1
nat (inside,outside) static VMP-RA1P
object network VMPDC2
nat (inside,outside) static VMPDC2P service tcp https https
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access in interface outside
access-group global_access global
!
router rip
!
route outside 0.0.0.0 0.0.0.0 173.10.h.i 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VMP_Users protocol ldap
aaa-server VMP_Users (inside) host 192.168.0.j
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca (...)
  quit
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.0.5-192.168.0.254 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:(...)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Maykol Rojas Wed, 11/16/2011 - 19:10
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

The first nat rule is actually taking all over the NAT configuration. Try with a more specific one and that is first than the regular PAT.


Try this,


nat (inside,outside) source static VMP-RA1 VMP-RA1P


That will translate RA1 to RA1P, so the outside users should access RAIP to get to the host RA1.


Let me know.


Mike

Scott Quinn Wed, 11/16/2011 - 19:46
User Badges:

I'm worried about getting rid of that first rule, because isn't that the one that allows the other inside users to share the NAT/PAT internet connection for their work (e-mail, web browsing, etc.)?

Scott Quinn Wed, 11/16/2011 - 20:13
User Badges:

Got it to work - I was messing with the ASDM's "Public Servers" thing and somehow, though I wasn't able to get the direct-to-RDP thing to work, I was able to get the more secure RDP-gateway thing over HTTPS to work.


Still can't figure out exactly what I did differently this time...

Maykol Rojas Wed, 11/16/2011 - 20:31
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

Hi Scott,


Well, I did not say to remove that line, just to add the one that I put. The problem is that NAT is read from top to bottom, and the first line you have is the one for internet access (Regular PAT) no other NAT is going to take precedense.  The NAT config that I put will be located on the manual NAT section, so it will first hit that one (for that specific host) and then, the rest of the hosts are going to go with the regular PAT.


Mike

Actions

This Discussion