Port Forward on an ASA

[MulLa]

Hi All,

Haven't been here for a while, things looked a little quiet compared to a few years back

Anyway, hope someone can point me in the right direct in regards to port forwarding RDP traffic on an ASA. For the life of me I couldn't work out why the below config isn't working, I can post full config if anyone needs more info.

Also this is a lab environment so security isn't a concern with rpd.


* 10.10.10.4 is the inside TS server that I'm trying to access.

access-list outside_access_in extended permit tcp any interface outside eq 3389
static (inside,outside) tcp interface 3389 10.10.10.4 3389 netmask 255.255.255.255 0 0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside

Thanks heaps in advance!

 

[nightowl]

Granted it is early for me, but everything looks good. The only thing that is an unknown is what the inside access-list contains. You could be blocking the traffic coming back from the RDP server with your inside access-list.

 

[MulLa]

Thanks nightowl, I think I remember seeing your name from way back

I certainly didn't think about the inside access list, but upon further inspection, the inside list seemed to be an allow all list as follows.

access-list outside_access_in remark Inbound Access from Outside
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any

static (inside,outside) tcp interface 3389 10.10.10.4 3389 netmask 255.255.255.255 0 0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside

Didn't think anything is out of the ordinary myself and got one of my mate to check it as well. We're both stumped as to why it refuses to work

 

[nightowl]

MuLa, did you try using the packet tracer just to make sure that nothing else is blocking/dropping the traffic on port 3389? Also, I am assuming that you can RDP to the device without going through the ASA?

 

[jlazzaro]

are you getting hits on the outside access-list? do you have logging configured to see what exactly is getting blocked?

it shouldn't matter, but try using the actual ip address rather than the interface command

 

[MulLa]

Hi Guys, really appreciate the assistance.

I have tried the packet tracer if I have the destination as the outside ASA interface everything checks out. If I have the destination as the TS box then the NAT rule seemed to be dropping packet. I really don't understand why it's dropping packets here

Config
static (inside,outside) tcp interface 3389 10.10.10.4 3389 netmask 255.255.255.255 match tcp inside host 10.10.10.4 eq 3389 outside any static translation to 10.96.253.68/3389 translate_hits = 0, untranslate_hits = 1

Tried using actual IPs rather than interface to no avail

This is mad! And it's only a demo lab that I'm helping to setup!!

 

[jlazzaro]

show xlate detail, show nat, and a config?

 

[MulLa]

Thanks heaps in advance guys for the help! Below are various "shows" and the full congif. Sorry this is a little long. As mentioned before, this is a lab environment thus all IPs are private ranges.

10.96.253.71 <- this is the box that we're TS'ing from.


ASA1# sh xlate detail
1 in use, 1 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
TCP PAT from inside:10.10.10.4/3389 to outside:10.96.253.68/3389 flags sr
ASA1#


eASA1# sh nat

NAT policies on Interface inside:
match tcp inside host 10.10.10.4 eq 3389 outside any
static translation to 10.96.253.68/3389
translate_hits = 0, untranslate_hits = 1
ASA1#


ASA1# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA1
domain-name XXXX
enable password XXXX encrypted
names
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 10.96.253.68 255.255.255.224
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif ASA_Management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd XXXX encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup ASA_Management
dns server-group DefaultDNS
name-server 10.96.253.73
domain-name XXXX
access-list outside_access_in remark Inbound Access from Outside
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging host ASA_Management 10.96.253.79
logging debug-trace
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu ASA_Management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
static (inside,outside) tcp interface 3389 10.10.10.4 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.96.253.94 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.96.253.71 255.255.255.255 ASA_Management
http 10.10.10.0 255.255.255.0 inside
http 10.96.253.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 10.10.10.0 255.255.255.0 inside
telnet 10.96.253.71 255.255.255.255 ASA_Management
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 inside
ssh 10.0.253.64 255.25.255.224 outside
ssh 10.0.253.32 255.25.255.224 outside
ssh 10.96.253.64 255.255.255.224 outside
ssh 10.96.253.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
!
username XXXX password XXXX encrypted privilege 15
prompt hostname context
Cryptochecksum:XXXX
: end