cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22796
Views
5
Helpful
15
Replies

Setting up a port forward on ASA 5505 (8.3) using Static PAT

groundzerox15
Level 1
Level 1

Hello,

I've been trying to set up a simple port forward on a Cisco ASA 5505 (OS version 8.3.2).

I have an external IP 94.112.245.203 and I'd like to forward a port for Windows Remote Desktop (tcp/3389) to a server at 192.168.10.2.

Here are my object, nat and access-list configurations:

http://pastebin.com/U0CGZLJ9

Here's how packet trace goes:

http://pastebin.com/sKXxBPcY

I've tried following several guides and all suggest the very same approach:

object network srv2003

host 192.168.10.2

nat (inside,outside) static interface service tcp 3389 3389

However I feel I must have missed something very basic about access-lists since none of the guides is discussing it.

Any help would be very much appreciated.

Regards,

Martin

15 Replies 15

varrao
Level 10
Level 10

HI Martin,

Yes you are right the access-list needs to be:

access-list outside_access_in extended permit tcp any 192.168.10.2 eq 3389

since post 8.3, you need to use the private ip instead of the public ip in the outside ACL.

Hope that helps

Thanks,

Varun

Thanks,
Varun Rao

Hello Varun,

and thank you for a really quick response!

Are you sure that command is syntactically correct?

ciscoasa(config)# access-list outside_access_in extended permit tcp any 192.168.10.2 eq 3389

access-list outside_access_in extended permit tcp any 192.168.10.2 eq 3389

                                                                    ^

ERROR: % Invalid input detected at '^' marker.

(if the formatting "eats" up the whitespace, the '^' marker is pointed at 'eq')

Also, should this rule override the one already present or should it be added to it? Sorry if these questions are of a basic nature.

Thank you.

Regards,

Martin

Hey Martin,

M sorry, a tiny winy mistake

access-list outside_access_in extended permit tcp any host 192.168.10.2 eq 3389

we were missing the host keyword.

Thanks,

Varun

Thanks,
Varun Rao

Hello Varun,

thanks for the clarification.

I've added the permission in the access-list, however I am still unable to connect via RDP and packet-trace still exits on phase 2 (i.e. access-list) with the same error message:

Drop-reason: (acl-drop) Flow is denied by configured rule

Any idea what else I might be missing? Should I post complete show running-config?

Thanks,

Martin

It should not say that now, but yes, if you can post the config, that would be helpful.

Thanks,

Varun

Thanks,
Varun Rao

Here it is:

http://pastebin.com/mXzqKLdQ

I've replaced the password hashes with ''. Other than that the dump is intact.

Thank you,

Martin

Hi Martin,

Cna you delete the old nat statment:

object network srv2003

   nat (inside,outside) static interface service tcp 3389 3389

and add this one:

nat (outside,inside) source static any any destination static interface srv2003 service rdp rdp

Can you let me know how it goes.

Thanks,

Varun

Thanks,
Varun Rao

Hi Varun,

I've deleted the statement as you suggested and added the new one. The configuration now looks as follows:

http://pastebin.com/5jejUQCr

However the problem persists - I still can not make the RDP connection from the outside and the packet-trace fails too.

Thank you,

Martin

Ohhhhhhhhhhhhhhhhhhh   how could I just overlooked it

Check these:

  1. access-list 101 extended permit icmp any any echo-reply
  2. access-list 101 extended permit icmp any any source-quench
  3. access-list 101 extended permit icmp any any unreachable
  4. access-list 101 extended permit icmp any any time-exceeded

  1. access-group 101 in interface outside

It the wrong access-list applied on outside interface, kindly change it to:

access-group outside_access_in in interface outside

Thanks,

Varun

Thanks,
Varun Rao

Thank you for your response.

I changed it (I suppose it means that I change which access list applies to the given interface?), so it looks like following:

http://pastebin.com/VXJ1mvaE

Yet still no luck (neither RDP nor packet-trace, problem is still the same).

Is it possible I might have missed something else (and basic)?

Thank you very much,

Martin

groundzerox15
Level 1
Level 1

Well, I tried several other things I randomly found on the Internet but alas with no success. After those experiment, I went back to the configuration I showed in my last post to keep the thread consistent.

I know this might be a Windows-ish question, but is it possible that a reboot of ASA might solve this issue? If you are certain that these settings are correct than we've sort of exhausted the options, I am afraid.

Thank you very much,

Martin

Hi Martin,

For accessing the server on rdp port, we just need the basic config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any host 192.168.10.2 eq 3389

object service rdp

  service tcp destination eq 3389

object network srv2003

  host 192.168.10.2

nat (outside,inside) source static any any destination static interface srv2003 service rdp rdp

after this the packet tracer should not say, implicit deny, n thats wat amazes me. I really dont think it to be a windows issue right now and would love to take it forward with you in digging into it, if u'r fine with it.

  1. Phase: 2
  2. Type: ACCESS-LIST
  3. Subtype:
  4. Result: DROP
  5. Config:
  6. Implicit Rule
  7. Additional Information:

Thanks,

Varun

Thanks,
Varun Rao

Hello Varun,

thanks again for taking time and helping me.

I set up everything like you instructed me to in your last post.

Here's my complete running-config, just to be sure:

http://pastebin.com/L7pcYYp3

And here's the output of packet tracer:

http://pastebin.com/JqjwjYfZ

I also don't think it's the Windows problem at the moment (since I am connected to the server via SSH tunnel as of now, since RDP forwarding doesn't work ).

I am glad you take this much interest in this case and I'd love to provide you with as much information as you need to further investigate this problem.

Again, thank you very much!

Martin

::EDIT::

In the meantime, I did a little check and tried the old Linux router we used for our network and port forward works just fine. The purpose was to exclude problems with ISP, Windows Server and anything else that doesn't come to mind at the moment. So it should really be ASA issue at the moment.

Hello Varun,

have you got any update on my issue, please?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: