Solved: Cisco ASA 8.3(2) PAT issue

tarmo · ‎10-18-2010

Hello

I have tried to solve it my self, but no luck.

I have this setup:

ISP modem (no NAT) - Cisco ASA 5505 firewall/router (NAT enabled, 1 external IP address) - local network.

I need to forward upto 5 ports to inside nework (192.168.1.0/24). Inside computers have Internet access, just PAT does not work.

As I am more ASDM user then commanline, but I can handel commandline too if needed (for PAT setup I have tried both)

I have created new NAT rules based on information what I have found in the Internet and Cisco website.

I have created following conf lines:

object network 192.168.1.102
host 192.168.1.102
object network KASSA
host 192.168.1.100

object network 192.168.1.102
nat (inside,outside) static interface service tcp 1205 1205
object network KASSA
nat (inside,outside) static interface service tcp 3389 3389

object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
access-list outside_access_in_1 remark PING from outside.
access-list outside_access_in_1 extended permit icmp any interface outside object-group DM_INLINE_ICMP_1
access-list outside_access_in_1 extended permit tcp any object KASSA eq 3389
access-list outside_access_in extended permit tcp any object KASSA eq 3389

access-group outside_access_in_1 in interface outside

Ping from Outside is working as it should! But when I try to access to object KASSA to port 3389 is see this

7

Oct 18 2010

20:34:10

my other office IP

54938

outside IP

3389

TCP request discarded from my office IP/54938 to outside:outside IP/3389

Can someone help me to fix it. I have other ASA 5505/5510 devices too, but this device is only one running lates firmware.

Maykol Rojas · ‎10-18-2010

Hello Tarmo

I hope you are doing great. I can see the port forwardings (Static PAT) that you are doing, however, I cannot see the PAT configuraton. Make sure that the PAT configuration has the after-auto keyword, otherwise the PAT wont work.

Here is how it should look like

object network 192.168.1.102
host 192.168.1.102
object network KASSA
host 192.168.1.100

object network 192.168.1.102
nat (inside,outside) static interface service tcp 1205 1205
object network KASSA
nat (inside,outside) static interface service tcp 3389 3389

On global configuration mode

nat (inside,outside) after auto source dynamic any interface

Let me know if that works.

Mike

View solution in original post

Kureli Sankar · ‎10-18-2010

tcp 3389 breaks? I used it exactly as you have configured. Config looks correct.

does tcp 1205 work?

what does packet tracer output show?

packet input outside tcp x.x.x.x 1025 o.o.o.o 3389 det

x.x.x.x - client ip that you are trying RDC from

o.o.o.o - outside IP address of the ASA.

-KS

Maykol Rojas · ‎10-18-2010

Hello Tarmo

I hope you are doing great. I can see the port forwardings (Static PAT) that you are doing, however, I cannot see the PAT configuraton. Make sure that the PAT configuration has the after-auto keyword, otherwise the PAT wont work.

Here is how it should look like

object network 192.168.1.102
host 192.168.1.102
object network KASSA
host 192.168.1.100

object network 192.168.1.102
nat (inside,outside) static interface service tcp 1205 1205
object network KASSA
nat (inside,outside) static interface service tcp 3389 3389

On global configuration mode

nat (inside,outside) after auto source dynamic any interface

Let me know if that works.

Mike

tarmo · ‎10-18-2010

Hello Mike

thank you. Now 3389 port is working.

nat (inside,outside) after-auto source dynamic any interface - I had there nat (inside,outside) source dynamic any interface (default rule).

I will test with other ports too.

Greetings from Estonia.

Tarmo

Maykol Rojas · ‎10-18-2010

Hello Tarmo

Thank you a lot, I am glad I was able to help,

Greetings from Costa Rica !!

Mike