Warning – This topic I’m sure has been covered more then a few million times
So today I was called on after one of the guys on the team couldnt get external RDP access to an internal host working for a user. I logged onto the ASA and did the normal “show run” and at first even I was even fooled. Mainly because I manage most of my host naming using” names”
name 10.1.31.26 hosta_int
name 22.214.171.124 hostb_ext
Skimming quickly through the config didn’t help, so I removed names, slowed down and began looking again. I was looking at the hitcounts, the interfaces, all sorts of things. Until I slowed down and looked at exactly what the problem was.
The inside IP address of the host needing to be remotely accessible was 10.1.31.26 and the (sanitized) public IP is 172.16.3.3. It looked like this
access-list outside line 8 extended permit tcp any host 10.1.31.26 eq 3389 (hitcnt=0)
This ACL as you can see doesn’t have a single hit, identified by “hitcnt” – this is the number of times the traffic was filtered based on this ACL. See the problem? Basically, the IP used in the ACL is incorrect. The IP in the above statement is the inside IP of our target host. When you think about how ACLs work, you’ll quickly pick out maybe where one of the problems here is.
Permit TCP communication -> From Any host > To our INSIDE IP 10.1.31.26 -> On Port 3389
Looks almost right though ey? Not exactly how it should be applied. Problem is it’s impossible for this public internet facing interface to recive traffic destined for a host inside your network on an RFC1918 address
Think OUTSIDE, so the ISP is routing the subnets you own to your firewall/router – so the internet knows how to get to us at 172.16.3.3. Because we have an ACL filtering inbound traffic on that outside interface, we have to filter traffic for the public IP users are trying to connect to externally. The inbound ACL is checked first and that needs to say that the traffic coming in for 172.16.3.3 is allowed. After it makes it past that point, the static NAT mapping will then be applied and it should be routed to our host at 10.1.31.26 on port 3389. But one thing at a time, lets correct the ACL.
asa(config)#access-list outside line 8 extended permit tcp any host 172.16.3.3 eq 3389
Now it reads..
Permit TCP communication -> From Any host > To our OUTSIDE IP 172.16.3.3 -> On Port 3389
Sounds more like what we’re trying to do! Now to move onto the static NAT mapping..
static (INSIDE,Out) 10.1.31.26 172.16.3.3 netmask 255.255.255.255
Again, looks right when you consider the structure of this statement. This command can be tricky, But the correct syntax is:
static (INSIDE,OUT) extIP inIP netmask xxx.xxx.xxx.xxx
The reasons behind the configuration has to do with interface security and access from a lower security level interface to one with a higher security level.. In this case:
ip address 172.16.3.1 255.255.255.0
ip address 10.1.31.17 255.255.255.240
You can read more on this in the reference below:
In any case, the correct statement for us is:
static (INSIDE,Out) 172.16.3.3 10.1.31.26 netmask 255.255.255.255
In order for this static NAT to work at all, our ACL has to be in order and we fixed that earlier. Our Static NAT statement is also straight now. So at this point I tried to connect to the host myself to test out the changes and lets see…
asa(config)#show access-list outside
access-list outside line 8 extended permit tcp any host 172.16.3.3 eq 3389 (hitcnt=2)
As you can see we now have some hitcounts and yep! I was successful – Another day defeated!
Applies to ASA 7.2.x
As always, pointing out anything that you see here that is incorrect or inaccurate is greatly appreciated!
Be sure to rate this post to bring useful material to new and browsing readers!