Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our beta test area to get started.

New Member

ASA5505 8.4.2 nat (outside,inside) black hole

I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.

The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. Would someone please take a look at my config file and tell me what I'm doing wrong and what I need to change in order to make it work?

Attached is the RDP packet trace and the config file. Thanks in advance for your help

  • Firewalling
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

ASA5505 8.4.2 nat (outside,inside) black hole

Hello Michael,

Logs never lie, seems like the access-group is dropping the packets.

Please create the following line:

access-list outside_access_in_2 line 1  permit tcp host 76.185.77.99 host 192.168.23.18 eq 3389.

Try this ASAP and let me know the result,

I will be waiting in order to help.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
19 REPLIES

ASA5505 8.4.2 nat (outside,inside) black hole

Hello Michael,

I work with this scenarios every day and I can tell you that the nat statements using ANY can generate a lot of issues, so I would recommend you to be more specific and instead of using ANY use the right interface name (Inside,Outside,etc)

Now the problem here is this part of the configuration:

object service RDP

service tcp destination eq 3389

You are going to nat the source IP and Port so instead of service tcp destination it should be source.

Please try that and let me know the result.

Please rate helpful posts.

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA5505 8.4.2 nat (outside,inside) black hole

Julio,

Thank you for your reply. I don't understand what you mean. Kindly please give me an example of your suggestion based on the RDP section of my configuration file.

ASA5505 8.4.2 nat (outside,inside) black hole

Hello Michael,

The configuration its fine, the only problem I could see is the Object service configuration, instead of using :

service tcp destination eq 3389

USE

service tcp source eq 3389

Regards,

Please rate helpful posts

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA5505 8.4.2 nat (outside,inside) black hole

Julio,

I have applied your suggested change:

object service RDP

service tcp source eq 3389

I then copied running config to startup config, cleared xlate and reloaded. Port forwarding is still not working.

I can ping the outside interface, I have remote access by vpn client but no port forwarding pleasure.

Any other suggestions?

Regards,

I look forward to fully rating a helpful post.

Michael

ASA5505 8.4.2 nat (outside,inside) black hole

Hello Michael,

Here is what you need to have on the configuration, until you have this, the connections coming from the outside to port 3389  on  the outside IP address are not going to work:

object network SBS-RDP

host 192.168.23.18

object service RDP

service tcp source eq 3389

no nat (outside,inside) source static any any destination static interface SBS-RDP service RDP RDP

nat (inside,outside) 1 source static SBS-RDP interface service  RDP  RDP

192.168.5.0/24

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: ASA5505 8.4.2 nat (outside,inside) black hole

Thanks for your timely reply Julio,

I have enthusiastically applied your suggested changes but no happy ending . Here is a sample of the config file with your suggestions in bold itialics:

object network NETWORK_OBJ_192.168.23.0_24

subnet 192.168.23.0 255.255.255.0

object network NETWORK_OBJ_10.10.10.0_24

subnet 10.10.10.0 255.255.255.0

description IPSec VPN 

object network SBS-SMTP

host 192.168.23.18

object service RDP

service tcp source eq 3389

object service SMTP

service tcp destination eq smtp

object service 987

service tcp destination eq 987

object service HTTPS444

service tcp destination eq 444

object network SBS-RDP

host 192.168.23.18

object network SBS-HTTPS444

host 192.168.23.18

object network SBS-987

host 192.168.23.18

access-list SPS-Remote_SplitTunnelAcl standard permit 192.168.23.0 255.255.255.0

access-list SPS-Remote_SplitTunnelAcl standard permit 10.10.10.0 255.255.255.0

access-list outside_access_in extended permit tcp any object SBS-SMTP eq smtp

access-list outside_access_in extended permit tcp any object SBS-RDP eq 3389

access-list outside_access_in extended permit tcp any object SBS-HTTPS444 eq 444

access-list outside_access_in extended permit tcp any object SBS-987 eq 987

access-list outside_Nat0_outbound extended permit ip any 192.168.23.0 255.255.255.0

access-list inside_Nat0_outbound extended permit ip any 192.168.23.0 255.255.255.0

access-list inside_Nat0_outbound_1 extended permit ip 192.168.23.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_access_in extended permit ip 10.10.10.0 255.255.255.0 192.168.23.0 255.255.255.0

access-list inside_access_in remark Allow VPN traffic inside

access-list inside_access_in extended permit ip 192.168.23.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside_access_in_1 extended permit ip object NETWORK_OBJ_10.10.10.0_24 192.168.23.0 255.255.255.0

access-list outside_access_in_2 extended permit object RDP any any log alerts

access-list outside_access_in_2 extended permit object SMTP any any

access-list outside_access_in_2 extended permit object 987 any any

access-list outside_access_in_2 extended permit object HTTPS444 any any

access-list outside_access_in_2 extended permit ip object NETWORK_OBJ_10.10.10.0_24 object NETWORK_OBJ_192.168.23.0_24

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN-Pool 10.10.10.1-10.10.10.254 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

asdm history enable

arp timeout 14400

nat (inside,outside) source static SBS-RDP interface service RDP RDP

nat (any,any) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static NETWORK_OBJ_192.168.23.0_24 NETWORK_OBJ_192.168.23.0_24

nat (outside,inside) source static any any destination static interface SBS-SMTP service SMTP SMTP

nat (outside,inside) source static any any destination static interface SBS-HTTPS444 service HTTPS444 HTTPS444

nat (outside,inside) source static any any destination static interface SBS-987 service 987 987

nat (inside,outside) source dynamic any interface

access-group inside_access_in in interface inside

access-group outside_access_in_2 in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

What could possibly be missing or in need of changing? The ASDM Syslog shows internal and vpn connected activity. How do I configure ASDM to show me the dropped packets from tcp/3389 outside traffic?

Regards,

Michael

Re: ASA5505 8.4.2 nat (outside,inside) black hole

Hello Michael,

Is there a way that we could use another IP address instead of the Outside ip address on the Nat.

This traffic is not being sourced from a VPN tunnel right, it is regular traffic comming from the internet.

Now lets do a capture to see what is going on because this should be up and running, in the access-list the xxx is the outside IP address.

access-list capin permit tcp host 76.185.77.99 host 192.168.23.18

access-list capin permit tcp host 192.168.23.18 host 76.185.77.99

access-list capout permit tcp host 76.185.77.99 host xxxxxx

access-list capout permit tcp host xxxx host 76.185.77.99

capture capin access-list capin interface inside

capture capout access-list capout interface outside

capture asp type asp-drop all

Provide the following outputs.

show capture capin

show capture capout

show capture asp

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: ASA5505 8.4.2 nat (outside,inside) black hole

Julio, this traffic is not being sourced from a VPN tunnel. It is regular traffic traversing the internet. There are some other IP addresses provided by my ISP. I could try another if you think the one I'm using is defective. I do not have the luxury of a different public network however.

I have applied your suggested changes (making sure to replace the XXX's with the ISP provided public outside address and here are the results:

Result of the command: "show capture capin"

0 packet captured

0 packet shown

Result of the command: "show capture capout"

0 packet captured

0 packet shown

Result of the command: "show capture asp"

413 packets captured

   1: 18:47:26.728798 9afd.43ad.b4c9 1503.0100.1630 0x80e9 27:  Drop-reason: (np-socket-closed) Dropped pending packets in a closed socket

   2: 18:47:26.729469 802.1Q vlan#1 P0 192.168.23.5.4438 > 192.168.23.3.443: F 2125777054:2125777054(0) ack 2832524426 win 64836 Drop-reason: (tcp-not-syn) First TCP packet not SYN

etcetera, etcetera 

  72: 18:49:25.494954 802.1Q vlan#1 P0 192.168.23.5.137 > 192.168.23.255.137:  udp 50

  73: 18:49:26.244677 802.1Q vlan#1 P0 192.168.23.5.137 > 192.168.23.255.137:  udp 50

Regards,

Michael

Re: ASA5505 8.4.2 nat (outside,inside) black hole

Hello Michael,

As you can see on the capture: capin and capout there are no packets, that means the rdp requests are not getting into your ASA.

That is the problem, there is something outhere blocking those packets.

Regards,

Please rate helpful posts.

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
4199
Views
3
Helpful
19
Replies