Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
257
Views
0
Helpful
1
Replies

NATing issue in ASA image 9.0

Dipesh Patel
Level 2
Level 2

‎02-10-2014 11:05 PM - edited ‎03-11-2019 08:43 PM

Dear Expters,

I want to configure NATing for the specifc Server inside the Secured LAN zone (172.18.64.11).

That server need to provide only access thorugh RDP/3189 port from only one iP address.

Inside IP address : 172.18.64.11

NATedIP address : 172.21.76.241

Firewall Outside IP address : 172.21.76.254

Out side iP address accessing the sever via RDP port = 172.24.105.16

Port TCP/UDP - 3189

Firewall Details :

Name: "Chassis", DESCR: "ASA 5505 Adaptive Security Appliance"

PID: ASA5505           , VID: V12     , SN: JMX17214138

System image file is "disk0:/asa901-k8.bin"

ASDM version - 7.1(1)52

COnfiguration appllied :

object network CRNCTL

host 172.18.64.11

object network CRNCTL_NATed

host 172.21.76.241

object network Temp_Admin

host 172.24.105.16

object service Remote_Desktop

service tcp destination eq 3189

description Remote_Desktop

object service RDP

service udp destination eq 3189

description RDP

object-group service TEMP

description TEMP

service-object object Remote_Desktop

service-object object RDP

object network CRNCTL

nat (inside,outside) static CRNCTL_NATed

access-list outside_access_in extended permit object-group TEMP object Temp_Admin object CRNCTL_NATed

 

access-group outside_access_in in interface outside

But it's not working.

When I am applying

access-list outside_access_in extended permit ip any any.

Than it's working.

Please help to resolve this issue.               

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎02-10-2014 11:39 PM

Hi,

There are atleast 1 problem, probably 2.

  • You have defined the RDP services port as TCP/3189 (and UDP/3189). Is the server really listening on the port 3189? The default port is TCP/3389
  • You have allowed the traffic to the NAT IP address. In the software levels 8.3 (and above) you will always allow the traffic to the real/local IP address, never to the NAT IP address. This is because of the NAT changes introduced in the new software levels.

So I would suggest the following options depending if the above port used was a typo/mistake or not

access-list outside_access_in permit tcp object Temp_Admin object CRNCTL eq 3389

access-list outside_access_in permit tcp object Temp_Admin object CRNCTL eq 3189

Hope this helps

Let me know how it goes.

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card