ASA 5510 Nat Help

[silentblue]

Hi guys and girls I need help as this has been driving me crazy for 3 weeks now!

I'm trying to setup ASA 5510 to allow incoming traffic port 3389 (Terminal Server) to an inside server.

I created only one static NAT entry to translate outside public address to inside private address.

I allowed tcp 3389 traffic in the ACL.

When I try to connect to the public address, I can see the syslog that an inbound tcp connection is established with NAT. However doesn't connect and after 30seconds the connection gets teared down.

My Config.

ciscoasa# config terminal
ciscoasa(config)# show config
: Saved
: Written by enable_15 at 12:10:11.896 GMT/BDT Thu Oct 12 2006
!
ASA Version 7.2(1)
!
hostname ciscoasa
domain-name xxxxxxxxxxxxxxxxxxxxx
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.x.82 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 172.16.100.100 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.
boot system disk0:/pix721.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name xxxxxxxxxxxxxxxxxxx
object-group service 4XDealer tcp
port-object range 4000 4100
access-list Outside_access_in extended permit tcp any host x.x.x.83 eq 3389

pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool RemoteIPs 172.16.250.1-172.16.250.254 mask 255
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Outside,Inside) 172.16.100.104 x.x.x.83 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

Regards,
Darren

 

[Supergrrover]

Change this
static (Outside,Inside) 172.16.100.104 x.x.x.83 netmask 255.255.255.255
to
static (inside,outside) x.x.x.83 172.16.100.104 netmask 255.255.255.255
If you are only using 3389 and don't want everything forwarded to that server, I would change the above to
static (inside,outside) tcp x.x.x.83 3389 172.16.100.104 3389 netmask 255.255.255.255



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[silentblue]

Hi i did try that before but still tried it now and still the same
But keep the idea's coming as no idea is a bad idea at this point.

3389 is the only port at the moment, there is another appliction that will be install on the server soon that needs it's own ports on the internet.

Regards,
Darren.

 

[Supergrrover]

Do you only have the one IP?

I ran into this problem before on 7.2.1

http://www.tek-tips.com/viewthread.cfm?qid=1285851&page=1

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[silentblue]

I have 13 ip's and need to use nat on them not the interface as got multi servers with the same port that need to be used.

But i will give it a go on the interface just to see if it works.

Regards,
Darren

 

[Supergrrover]

When you changed the static did you clear the xlates? These will stick for a while.

Other than that, your config looks good. That is your conplete config?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[silentblue]

Erm xlates?? (New to cisco firewalls sorry) but i have left it over the weekend and tried today and no joy if the xlates auto clear??

As for the config i thought that it looked right as i did buy two big cisco books that told me what to do with the cisco asa and pix firewalls.

There was some vpn stuff that i was playing with but i think i disabled it all, and removed it from the post (Save space).

Regards,
Darren.

 

[Supergrrover]

Can you post a current config? I want to load it on mine and test it.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[silentblue]

Full Config
Result of the command: "show config"

: Saved
: Written by enable_15 at 09:54:31.875 GMT/BDT Fri Oct 13 2006
!
ASA Version 7.2(1)
!
hostname ciscoasa
domain-name accordancevat.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 82.111.251.82 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 172.16.100.100 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/pix721.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name accordancevat.local
access-list inbound_traffic_on_outside extended permit tcp any host 82.111.251.83 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool RemoteIPs 172.16.250.1-172.16.250.254 mask 255.255.0.0
ip verify reverse-path interface Outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
access-group inbound_traffic_on_outside in interface Outside
route Outside 0.0.0.0 0.0.0.0 82.111.251.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy RemoteUsers internal
group-policy RemoteUsers attributes
wins-server value 172.16.100.1
dns-server value 172.16.100.1 172.16.100.2
default-domain value accordancevat
http server enable
http 172.16.0.0 255.255.0.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map EasyNet_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map EasyNet_map 65535 ipsec-isakmp dynamic EasyNet_dyn_map
crypto map EasyNet_map interface Outside
crypto isakmp identity hostname
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.16.0.0 255.255.0.0 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.135.1.36 195.40.1.36
dhcpd auto_config Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:43e8f452abeba255e1d7faa4db0f7073

Regards,
Darren.

 

[silentblue]

Oh just want to add that the server can browse the internet.

Regards,
Darren

 

[Supergrrover]

Ok, your static is missing

static (inside,outside) tcp 82.111.251.83 3389 172.16.100.104 3389 netmask 255.255.255.255

Make use you can RDP to the server from the internal network, and check the firewall settings on the server itself. You can limit the scope/networks that connect to it using that protocol with the advanced button. (I have had someone set that in group policy and forget about it.)


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[silentblue]

No joy

I am thinking is it worth me reseting the asa to factory defaults (Wipe it) and start from the begining?

Current Config now
Result of the command: "show config"

: Saved
: Written by enable_15 at 18:38:06.284 GMT/BDT Tue Oct 17 2006
!
ASA Version 7.2(1)
!
hostname ciscoasa
domain-name accordancevat.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 82.111.251.82 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 172.16.100.100 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/pix721.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name accordancevat.local
access-list inbound_traffic_on_outside extended permit tcp any host 82.111.251.83 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool RemoteIPs 172.16.250.1-172.16.250.254 mask 255.255.0.0
ip verify reverse-path interface Outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 82.111.251.83 3389 172.16.100.104 3389 netmask 255.255.255.255
access-group inbound_traffic_on_outside in interface Outside
route Outside 0.0.0.0 0.0.0.0 82.111.251.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy RemoteUsers internal
group-policy RemoteUsers attributes
wins-server value 172.16.100.1
dns-server value 172.16.100.1 172.16.100.2
default-domain value accordancevat
http server enable
http 172.16.0.0 255.255.0.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map EasyNet_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map EasyNet_map 65535 ipsec-isakmp dynamic EasyNet_dyn_map
crypto map EasyNet_map interface Outside
crypto isakmp identity hostname
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.16.0.0 255.255.0.0 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.135.1.36 195.40.1.36
dhcpd auto_config Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:e11eb678db0d82f82a53fdfa03b8b64b

Regards,
Darren

 

[Supergrrover]

Can you RDP internally to the server using the IP?

The config looks righteous.

access-list inbound_traffic_on_outside extended permit tcp any host 82.111.251.83 eq 3389
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 82.111.251.83 3389 172.16.100.104 3389 netmask 255.255.255.255
access-group inbound_traffic_on_outside in interface Outside
route Outside 0.0.0.0 0.0.0.0 82.111.251.81 1

As a last ditch, try changing this
global (Outside) 1 interface
so that it is the IP and not interface.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[silentblue]

The server is windows 2003 sr2, browsing the internet, connecting via RDP internaly from any pc also runing a time management system (port 1224) + a web portal for it (IIS 6 port 80)

I have also tried my laptop with winxp pro sp2 using ip 172.16.100.104 (Remote desktop setup on laptop + iis) and same result which is why i thought it's the ASA 5510????

Ok will try the last ditch, if that doesn't work i will competely wipe the asa 5510 and restore factory defaults and try the nat settings again.
I do have another asa 5510 that i need to install in another company but haven't done yet as they need nat on 6 servers i will plug that one in as well to see if it's just a fault with other one???

Thanks you for all your help so far!! I will get back to you with my results as i can, as will have to do this after normal uk work hours.

Regards,
Darren

 

[Supergrrover]

Yeah, do let me know how it turns out. This should work. The fact that it doesn't isn't annoying me to no end.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[silentblue]

Right Config before i add any nat settings --- wish me luck

Result of the command: "show config"

: Saved
: Written by enable_15 at 06:58:33.991 UTC Tue Oct 24 2006
!
ASA Version 7.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 82.111.251.82 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 172.16.100.100 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Outside) 102 interface
nat (Inside) 102 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 82.111.251.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.16.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.16.0.0 255.255.0.0 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:be5c03e452288dba5fa3da4a7887e690

Regards,
Darren

 

[silentblue]

Ok same dam thing 30 second timeout!

Config ----
Result of the command: "show config"

: Saved
: Written by enable_15 at 07:58:02.205 UTC Tue Oct 24 2006
!
ASA Version 7.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 82.111.251.82 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 172.16.100.100 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list Outside_access_in extended permit tcp any host 82.111.251.83 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Outside) 102 interface
nat (Inside) 102 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 82.111.251.83 3389 172.16.100.104 3389 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 82.111.251.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.16.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.16.0.0 255.255.0.0 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:35a09771447ea42cbafdb71620fea91b

I am out of idea's now

regards
Darren

 

[Supergrrover]

That's a good base. Then add the static and ACL for the RDP to the server

access-list outside_in extended permit tcp any host 82.111.251.83 eq 3389
static (Inside,Outside) tcp 82.111.251.83 3389 172.16.100.104 3389 netmask 255.255.255.255
access-group outside_in in interface Outside



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[silentblue]

no joy config now

Result of the command: "show config"

: Saved
: Written by enable_15 at 10:33:16.905 UTC Tue Oct 24 2006
!
ASA Version 7.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 82.111.251.82 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 172.16.100.100 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_in extended permit tcp any host 82.111.251.83 eq 3389
access-list Outside_access_in extended permit tcp any host 82.111.251.83 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Outside) 102 interface
nat (Inside) 102 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 82.111.251.83 3389 172.16.100.104 3389 netmask 255.255.255.255
access-group outside_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 82.111.251.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.16.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.16.0.0 255.255.0.0 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:47bcffda044c27a344dbb25179b26d4b

I am starting to think that there may be a problem with ASA Version 7.2(1) software???

regards,
Darren

 

[Supergrrover]

You can try using a PC with one of your public addresses and connecting it to a switch on the outside and RDP from there. Setup a syslog server (kiwi works fine) and set it to grab debug info and try a connection to see what's happening.

If that doesn't shed any light on it - I admit, I'm totally stumped. Time to open a case with Cisco.


Brent
Systems Engineer / Consultant
CCNP, CCSP