0

I'm trying to configure my ASA (ASA 8.4(2), ASDM 6.4(5) ) to allow external access to a server (using RDP). I've tried everything, but it doesn't seem to be working. I'm sure it is something simple that I'm just not seeing.

Here is the relevant configuration

access-list Outside_access_in extended permit object RDP any object Priv_Vcenter01 log 

nat (Inside,Outside) source static Priv_Vcenter01 Priv_Vcenter01 service RDP RDP

Any ideas?

Scott

ScottAdair
  • 141
  • 2
  • 9
  • possible duplicate of [cisco ASA - redirect a port on external interface to an internal server port](http://serverfault.com/questions/54076/cisco-asa-redirect-a-port-on-external-interface-to-an-internal-server-port) – GregD Oct 26 '11 at 16:46
  • Look at that one, it is for ASA 7.x not ASA 8.x – ScottAdair Oct 26 '11 at 16:49
  • Also looked at http://serverfault.com/questions/272086/cisco-asa-nat-8-4 but that doesn't seem to work for me – ScottAdair Oct 26 '11 at 16:50
  • 1
    Basic natting and ACLs haven't changed between Ver. 7 and Ver. 8 of the ASA software. – GregD Oct 26 '11 at 16:52
  • True, but the commands have. And for a newbie it can be hard to translate :-) Anyway, the link I posted did work. I'm loosing my mind, must be the noise in the Colo. – ScottAdair Oct 26 '11 at 16:55
  • 1
    @GregD They have from <8.3 to >=8.3. – Shane Madden Oct 26 '11 at 17:35

2 Answers2

1

Below are examples that use a specific object naming scheme -- designed for clarity -- as clear as is feasible in ASA 8.3+

Full Static NAT outside:2.2.2.2 <-> inside:192.168.0.100 with ACL for ASA 8.3+

! Define network object for the host
! Configure NAT behavior here but will appear further down if doing a sh run

object network hst-192.168.0.100
 host 192.168.0.100 
 description SRV01 LAN IP
 nat (inside,outside) static 2.2.2.2

! Define an object-group for services to be permitted in ACL

object-group service svcgrp-192.168.0.100-tcp tcp
 description SRV01 Services
 port-object eq 3389

! Put it all together - remember un-nat comes before ACL check
! Use real IP's in ACL's used in access-group -- even on outside

access-list outside_access_in extended permit tcp any object hst-192.168.0.100 object-group svcgrp-192.168.0.100-tcp
access-group outside_access_in in interface outside

For Static PAT on the ASA's outside interface with ACL.

! Define network object for the host

object network hst-192.168.0.100
 host 192.168.0.100 
 description SRV01 LAN IP

! Create network object specific for the static PAT
! Kind of ridiculous with a lot of static PAT's but the ASA 8.3+ code is not
! geared for a lot of static PAT.

object network hst-192.168.0.100-tcp3389
 host 192.168.0.100
 description SRV01 PAT TCP/3389
 nat (inside,outside) static interface service tcp 3389 3389

! Define an object-group for services to be permitted in ACL

object-group service svcgrp-192.168.0.100-tcp tcp
 description SRV01 Services
 port-object eq 3389

! Put it all together - remember un-nat comes before ACL check
! Use real IP's in ACL's used in access-group -- even on outside

access-list outside_access_in extended permit tcp any object hst-192.168.0.100 object-group svcgrp-192.168.0.100-tcp
access-group outside_access_in in interface outside
Weaver
  • 1,952
  • 12
  • 13
-1

Don't use 8.4 examples, NAT changed significantly over 8.2

Is that access list applied to the interface? Do a

sh access-group

Also assuming your objects are correct?

Willy
  • 1
  • Question stated 8.4.2 is ASA version in question. Why not use 8.4 examples? Additionally, the NAT changes to which you refer were implemented beginning with ASA 8.3.1 and on. – Weaver Oct 26 '11 at 22:40