Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static nat strangeness

OK here is the deal. I am testing for a setup I want to deploy for a client who needs to connect to our office.

What I want to do:

When hostX tries to connect to destination tcp port 9999 on the outside interface of my ASA5520 and then the traffic should be translated to port 3389 on my desktop. Pretty simple no??

Right now here is what is working:

1. From my desktop I can ping hostX

2. From Wireshark I can see the SYN packet come in, and the SYN ACK packet go out to hostX.

Here is whats not working.

1. The SYN ACK packet never gets to hostX.

2. The ASA is not logging any denied packets.

Questions

1. Can I assume all the NATing that needs to be done is OK since my ping to hostX is working.

2. I created access-lists for the outside interface. A static entry for the PAT. Am I missing anything???

Thanks,

Pete

7 REPLIES

Re: Static nat strangeness

Pete-

1. No. PAT from inside to outside is working, but it doesn't look like it is the other way.

2. Do you have a static NAT for the service?

Can you post your config?

New Member

Re: Static nat strangeness

Pat,

Thanks for your reply!

Here is my static entry:

static (inside,outside) tcp interface 9999 172.16.5.133 3389 netmask 255.255.255.255

Like I said I see the first packet (SYN) come in from the Internet and get to 172.16.5.133 (my laptop). Then I see the SYN ACK going out from the laptop but it never gets to the Internet client. The I see a few RSTs as the Internet client tries again and again.

I can ping the Internet client from the laptop so for giggles I started netcat on the internet client on a high port and tried to connect from the laptop and NADA.....

Re: Static nat strangeness

Do you see the SYN ACK go through the firewall (back out to the internet host)?

New Member

Re: Static nat strangeness

How could I do that?

Re: Static nat strangeness

I'm not sure if the log shows it, otherwise use the packet capture option.

http://analysisandreview.com/cisco/how-to-configure-a-packet-capture-in-the-cisco-asa/

New Member

Re: Static nat strangeness

This is getting stranger. I think someone else may be working on the ASA because I dont see packets coming anymore to the laptop. And in the logs I get:

No translation group found for tcp src outside:75.222.208.88/9999 dst inside:172.16.5.133/3389

The public address is my clients IP

What up??

Re: Static nat strangeness

Definitely a NAT issue. You can see if others are in with the who command.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1634239

190
Views
0
Helpful
7
Replies