Skip to main content

PNAT on RDP, but dosn't forward right.

More
14 years 5 months ago #34725 by WarlockD
I have this odd situation. I just upgraded to 8.3 on my ASA 5505 and been trying to forward RDP. Now, if I do this, it works fine:
[code:1]
object network RDP_static_paul
host 192.168.92.116
nat (inside,outside) static interface service tcp 3389 3389

access-list outside_access_in extended permit tcp any object RDP_static_paul eq 3389
[/code:1]

However, I want to translate the port so I can have another computer connect rdp. I CANNOT connect with this:

[code:1]
object network RDP_static_paul
host 192.168.92.116
nat (inside,outside) static interface service tcp 3389 5000

access-list outside_access_in extended permit tcp any object RDP_static_paul eq 5000
[/code:1]

With the error in the log:
[code:1]
4 Jun 09 2010 20:53:40 106023 144.162.138.54 3367 192.168.92.116 3389 Deny tcp src outside:144.162.138.54/3367 dst inside:192.168.92.116/3389 by access-group "outside_access_in" [0x0, 0x0]
[/code:1]

Now, what is REALLY odd about all this, is that if I add BOTH access rules:
[code:1]
object network RDP_static_paul
host 192.168.92.116
nat (inside,outside) static interface service tcp 3389 5000

access-list outside_access_in extended permit tcp any object RDP_static_paul eq 5000
access-list outside_access_in extended permit tcp any object RDP_static_paul eq 3389 [/code:1]
To the second one, it works.
[code:1]
6 Jun 09 2010 20:50:32 302013 144.162.138.54 3354 192.168.92.116 3389 Built inbound TCP connection 1589635 for outside:144.162.138.54/3354 (144.162.138.54/3354) to inside:192.168.92.116/3389 (76.183.66.73/5000)
[/code:1]

So my question is what am I doing wrong. I know its an access rule I am missing, but I thought that once the packet makes it in, its translated by the nat and sent on its way. Do I need to create an inside access-group to handle it?[/code]
Time to create page: 0.108 seconds