07-24-2006 05:21 AM - edited 02-21-2020 01:03 AM
Hallo,
I am not sure if the thread title is correctly worded, so I will try to explain my problem.
I have a ASA 5510 plus that runs several VPN tunnels from Outside interface to Inside interface. these work fine. Now I want to access one server in the Inside trusted network from the Internet via RDP.
I have set up a static NAT rule that translates [my public notebook ip]:11111 to [internal server ip]:3389. Furthermore, I have allowed traffic from [my public notebook ip]:11111 on Outside to [internal server ip]:3389 on Inside via Access Control List.
Yes this does not work. Did I make some soft of logical mistake?
The code:
static (Outside,Inside) tcp [internal server ip] 3389 [my public notebook ip] 11111 netmask 255.255.255.255
access-list Outside_access_in extended permit tcp host [my public notebook ip] host [internal server ip] eq 3389
Best regards,
Eyad Tayeb.
Solved! Go to Solution.
07-25-2006 06:56 PM
Hi ... may I have a word here !!
by looking at your config you have
static (Inside,Outside) tcp
it should be
static (Inside,Outside) tcp interface 3389
Also .. make sure the access-list aplpied to the outside interface in the OUTbound direction is not blocking traffic returned by your inside host towards the public client which initiated the RDP session.
I hope it helps .. please rate it if it does !!!
07-24-2006 05:53 AM
Static statement is backwards.
Try this.
static (inside,outside) tcp [my public notebook ] 11111 [ipinternal server ip] 3389 netmask 255.255.255.255
Please rate if this helps.
Chad
07-24-2006 11:31 PM
I have changed the NAT expression accordingly. But unfortunately it did not change the situation. I still can not connect. Furthermore, I do not see any syslog messages in the GUI. Do I have to enable some debugging?
Regards,
Eyad Tayeb.
07-25-2006 04:29 AM
Sorry, just looked at your acl and that was wrong also.
Should be.
access-list Outside_access_in extended permit tcp any host [external server ip] eq 3389
This allows any ip (Internet) to connect to the exteranl ip. The static nat will then xlate that to the internal ip.
make sure you clear the xlate after making these changes.
07-25-2006 05:04 AM
Ok, you got me confused.
An external server IP? Do I need that?
What I want do do is:
From a notebook that has a public static IP Address (ipA) I wish to connect to the only public static IP of my ASA (ipB) on port 11111 with RDP. The ASA then should redirect that connection to a single server on my trusted network (ipC) on port 3389.
The public IP of my ASA is the only one I have. to that IP there also are several IPSec VPNs connecting.
And how do I clear "xlate"?
Thanks!
Regards,
Eyad Tayeb.
07-25-2006 05:19 AM
This is what you had.
static (Outside,Inside) tcp [internal server ip] 3389 [my public notebook ip] 11111 netmask 255.255.255.255
access-list Outside_access_in extended permit tcp host [my public notebook ip] host [internal server ip] eq 3389
In order for this to work it should be:
static (inside,outside) tcp [my public notebook ip] 11111 [internal server ip] 3389 netmask 255.255.255.255
access-list Outside_access_in extended permit tcp any host [my public notebook ip] eq 11111
When traffic from any ip from the Internet hits [my public notebook ip] on port 11111 it will be translated to [internal server ip] on port 3389
"clear xlate" is the command to clear xlate.
07-25-2006 05:59 AM
Thanks, but it still does not work.
I have changed the NAT rule and the ACL acordingly.
But still I can not establish a RDP session (the connection to [public ASA IP]:11111 timed out). And I do not see anything in the SYSLOG window in the ASA home tab.
When I e.g. try to connect to the ASA from the same notebook via Telnet, I get a entry in the SYSLOG (Denied by ACL. Correct, I have not allowed telnet), so the traffic reaches the ASA.
Is there any way to debug NAT or the ACL?
Regards,
Eyad Tayeb.
07-25-2006 06:16 AM
sh xlate to see the translations in the table
sh conn to see current connections.
sh access-list which should give you the hit count for the acl. If your not seeing hits on the acl then the traffic isn't reaching it.
07-25-2006 08:40 AM
The reaffic does seem to reach the ASA, it just does not translate it.
If I enter [ASA IP]:23 into the RDP client, I get a Deny by ACL message in syslog. If I enter [ASA IP]:11111 into the RDP client, I get nothing!
With sh xlate, it get:
2 in use, 100 most used
PAT Global [public ip of ASA](1129) Local [random IP of internal server](2860)
PAT Global [public ip of my notebook](5000) Local [internal server address](3389)
There are no hits on the rule in Outside_access_in.
07-25-2006 08:47 AM
can you post your config.
07-25-2006 09:28 AM
please find attached my config
Regards,
Eyad Tayeb.
07-25-2006 09:32 AM
07-25-2006 09:42 AM
Can you post but instead of removing the ip just X out the 2nd and 3rd octets.
07-25-2006 06:56 PM
Hi ... may I have a word here !!
by looking at your config you have
static (Inside,Outside) tcp
it should be
static (Inside,Outside) tcp interface 3389
Also .. make sure the access-list aplpied to the outside interface in the OUTbound direction is not blocking traffic returned by your inside host towards the public client which initiated the RDP session.
I hope it helps .. please rate it if it does !!!
07-25-2006 11:37 PM
OK, confusion city!!
Again my config, now with Addresses Xed out instead of removing them.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: