Solved: port forwarding asa 5510

TY08 · ‎07-23-2013

guys,

i need your assisance to double or triple check my port forwarding, basically i want to have 1 public ip for muliple rdp connections.

configuration as follow

access-list 100 extended permit tcp any host x.x.51.126 eq 3393

static (inside,outside) tcp x.x.51.126 3393 192.168.1.13 3389 netmask 255.255.255.255

global (outside) 1 interface

global (backup) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface outside

sh ver

Cisco Adaptive Security Appliance Software Version 7.0(7)
Device Manager Version 5.0(7)

i looked the documentation and other resources, and somehow it's not working. but if i don't do port forwarding, it works fine.

i am not where to look at this point. let me know if someone can guide me to the right place.

thanks in advanced.

Julio Carvajal · ‎07-23-2013

Hello Blue,

I never said remove the backup interface , I just said if you plan to use the backup you still need a NAT statement for the backup.

Ups I did not pay attention to the ASA version (Just as a note : Dude you have a 5510. That's an amazing box.. Take full usage of it and use the newer versions otherwise how much for that ? just kidding but really try to upgrade to a latest version as you are definetly missing a lot of fun).

Okey, time to do captures( as we do not have the almighty packet-tracer)

access-list capout permit tcp host Outside_Client_IP_address host x.x.51.126 eq 3393

access-list capout permit tcp host x.x51.126 eq 3393 host Outside_Client_IP_address

access-list capin permit tcp host Outside_Client_IP_address host 192.168.1.13 eq 3389

access-list capin permit tcp host 192.168.1.13 eq 3389 host Outside_Client_IP_address

capture capout access-list capout interface outside

capture capin access-list capin interface inside

Then try to connect once and share

show cap capin

show cap capout

Note: Remember to rate all of my posts, I definetly take my time to help here

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎07-23-2013

Hello,

Looks good

Now the thing is that if you are using the backup interface is not gonna work as the static and ACL are only applied on the outside interface.

Can you run the packet-tracer command:

Follow this documment and leave your comments :

http://www.laguiadelnetworking.com/the-usage-of-the-packet-tracer-feature-on-the-asa/

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

TY08 · ‎07-23-2013

hi

thanks for the reply. i tried to remove my backup interface and that didn't seem do the trick. packet-tracer isn't available on the firewall, it's currently still running on v 7.0

any other thoughts that might have caused this issue.

i use clear xlate command each time i setup static(inside,outside) command, and rebooted for 2 times. still no luck.

i am not too sure where the problem is.

Julio Carvajal · ‎07-23-2013

Hello Blue,

I never said remove the backup interface , I just said if you plan to use the backup you still need a NAT statement for the backup.

Ups I did not pay attention to the ASA version (Just as a note : Dude you have a 5510. That's an amazing box.. Take full usage of it and use the newer versions otherwise how much for that ? just kidding but really try to upgrade to a latest version as you are definetly missing a lot of fun).

Okey, time to do captures( as we do not have the almighty packet-tracer)

access-list capout permit tcp host Outside_Client_IP_address host x.x.51.126 eq 3393

access-list capout permit tcp host x.x51.126 eq 3393 host Outside_Client_IP_address

access-list capin permit tcp host Outside_Client_IP_address host 192.168.1.13 eq 3389

access-list capin permit tcp host 192.168.1.13 eq 3389 host Outside_Client_IP_address

capture capout access-list capout interface outside

capture capin access-list capin interface inside

Then try to connect once and share

show cap capin

show cap capout

Note: Remember to rate all of my posts, I definetly take my time to help here

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

TY08 · ‎07-23-2013

hi julio,

i know you didn't but i just went ahead to disable it for another possibility.

i tried your approach as follow,

access-list capout extended permit tcp any host x.x.51.126 eq 3393

access-list capout extended permit tcp host x.x.51.126 eq 3393 any

access-list capin extended permit tcp any host 192.168.1.13 eq 3393

access-list capin extended permit tcp host 192.168.1.13 eq 3393 any

asa5510# capture capout access-list capout interface outside

asa5510# capture capin access-list capin interface inside

asa5510# sh cap capin

0 packet captured

0 packet shown

asa5510# sh cap capout

0 packet captured

0 packet shown

is this firmware too old?

thanks...

tedy

Julio Carvajal · ‎07-24-2013

Hello,

You are definetly running and old version but that is not the cause of the issue right now?

Based on the captures you are not getting any packets so it's not a problem with the ASA.

Can u share :

show route

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

TY08 · ‎07-24-2013

Hi,

this is the show route output

asa5510# sh route

S    0.0.0.0 0.0.0.0 [1/0] via x.x.51.121, outside
C    x.x.51.120 255.255.255.248 is directly connected, outside
C    192.168.1.0 255.255.255.0 is directly connected, inside

i have others mapping done on the access list for email server, and that seems to be working fine and rdp, port 3389, works as well.

my plan is to upgrade this box to the newer version. if you any other thoughts, please let me know. i have looked few links about my settings and also cisco docs for port forwarding, and i don't see anything wrong on the command line configuration.

Julio Carvajal · ‎07-24-2013

Can you share the entire configuration please,

I mean right now base on the outputs you have provided I would blame something outside the ASA as we are not seeing any packets,

Please send me the config in private if required

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

TY08 · ‎07-25-2013

I just sent you the config to your private message.

Thanks again.