07-23-2013 05:39 PM - edited 03-11-2019 07:16 PM
guys,
i need your assisance to double or triple check my port forwarding, basically i want to have 1 public ip for muliple rdp connections.
configuration as follow
access-list 100 extended permit tcp any host x.x.51.126 eq 3393
static (inside,outside) tcp x.x.51.126 3393 192.168.1.13 3389 netmask 255.255.255.255
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 100 in interface outside
sh ver
Cisco Adaptive Security Appliance Software Version 7.0(7)
Device Manager Version 5.0(7)
i looked the documentation and other resources, and somehow it's not working. but if i don't do port forwarding, it works fine.
i am not where to look at this point. let me know if someone can guide me to the right place.
thanks in advanced.
Solved! Go to Solution.
07-23-2013 07:49 PM
Hello Blue,
I never said remove the backup interface , I just said if you plan to use the backup you still need a NAT statement for the backup.
Ups I did not pay attention to the ASA version (Just as a note : Dude you have a 5510. That's an amazing box.. Take full usage of it and use the newer versions otherwise how much for that ? just kidding but really try to upgrade to a latest version as you are definetly missing a lot of fun).
Okey, time to do captures( as we do not have the almighty packet-tracer)
access-list capout permit tcp host Outside_Client_IP_address host x.x.51.126 eq 3393
access-list capout permit tcp host x.x51.126 eq 3393 host Outside_Client_IP_address
access-list capin permit tcp host Outside_Client_IP_address host 192.168.1.13 eq 3389
access-list capin permit tcp host 192.168.1.13 eq 3389 host Outside_Client_IP_address
capture capout access-list capout interface outside
capture capin access-list capin interface inside
Then try to connect once and share
show cap capin
show cap capout
Note: Remember to rate all of my posts, I definetly take my time to help here
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-23-2013 05:55 PM
Hello,
Looks good
Now the thing is that if you are using the backup interface is not gonna work as the static and ACL are only applied on the outside interface.
Can you run the packet-tracer command:
Follow this documment and leave your comments :
http://www.laguiadelnetworking.com/the-usage-of-the-packet-tracer-feature-on-the-asa/
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-23-2013 06:55 PM
hi
thanks for the reply. i tried to remove my backup interface and that didn't seem do the trick. packet-tracer isn't available on the firewall, it's currently still running on v 7.0
any other thoughts that might have caused this issue.
i use clear xlate command each time i setup static(inside,outside) command, and rebooted for 2 times. still no luck.
i am not too sure where the problem is.
07-23-2013 07:49 PM
Hello Blue,
I never said remove the backup interface , I just said if you plan to use the backup you still need a NAT statement for the backup.
Ups I did not pay attention to the ASA version (Just as a note : Dude you have a 5510. That's an amazing box.. Take full usage of it and use the newer versions otherwise how much for that ? just kidding but really try to upgrade to a latest version as you are definetly missing a lot of fun).
Okey, time to do captures( as we do not have the almighty packet-tracer)
access-list capout permit tcp host Outside_Client_IP_address host x.x.51.126 eq 3393
access-list capout permit tcp host x.x51.126 eq 3393 host Outside_Client_IP_address
access-list capin permit tcp host Outside_Client_IP_address host 192.168.1.13 eq 3389
access-list capin permit tcp host 192.168.1.13 eq 3389 host Outside_Client_IP_address
capture capout access-list capout interface outside
capture capin access-list capin interface inside
Then try to connect once and share
show cap capin
show cap capout
Note: Remember to rate all of my posts, I definetly take my time to help here
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-23-2013 08:21 PM
hi julio,
i know you didn't but i just went ahead to disable it for another possibility.
i tried your approach as follow,
access-list capout extended permit tcp any host x.x.51.126 eq 3393
access-list capout extended permit tcp host x.x.51.126 eq 3393 any
access-list capin extended permit tcp any host 192.168.1.13 eq 3393
access-list capin extended permit tcp host 192.168.1.13 eq 3393 any
asa5510# capture capout access-list capout interface outside
asa5510# capture capin access-list capin interface inside
asa5510# sh cap capin
0 packet captured
0 packet shown
asa5510# sh cap capout
0 packet captured
0 packet shown
is this firmware too old?
thanks...
tedy
07-24-2013 09:37 AM
Hello,
You are definetly running and old version but that is not the cause of the issue right now?
Based on the captures you are not getting any packets so it's not a problem with the ASA.
Can u share :
show route
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-24-2013 04:58 PM
Hi,
this is the show route output
asa5510# sh route
S 0.0.0.0 0.0.0.0 [1/0] via x.x.51.121, outside
C x.x.51.120 255.255.255.248 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
i have others mapping done on the access list for email server, and that seems to be working fine and rdp, port 3389, works as well.
my plan is to upgrade this box to the newer version. if you any other thoughts, please let me know. i have looked few links about my settings and also cisco docs for port forwarding, and i don't see anything wrong on the command line configuration.
07-24-2013 11:45 PM
Can you share the entire configuration please,
I mean right now base on the outputs you have provided I would blame something outside the ASA as we are not seeing any packets,
Please send me the config in private if required
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-25-2013 06:29 AM
I just sent you the config to your private message.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide