Hello Ankit,
If you run into issues with NAT or packet drops, check xlate and packet tracer first. Here’s an example where I use it for the config in this lesson:
Verify that my NAT rules are correct:
ASA1# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from DMZ:192.168.3.1 80-80 to OUTSIDE:192.168.2.254 80-80
flags sr idle 0:03:27 timeout 0:00:00
TCP PAT from DMZ:192.168.3.3 22-22 to OUTSIDE:192.168.2.254 10022-10022
flags sr idle 0:00:03 timeout 0:00:00
Verify that I can connect. In my case, TCP 192.168.2.254:10022 translates to 192.168.3.3:22:
ASA1# packet-tracer input OUTSIDE tcp 192.168.2.2 12345 192.168.2.254 10022
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SSH_SERVER
nat (DMZ,OUTSIDE) static interface service tcp ssh 10022
Additional Information:
NAT divert to egress interface DMZ
Untranslate 192.168.2.254/10022 to 192.168.3.3/22
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_SERVERS in interface OUTSIDE
access-list DMZ_SERVERS extended permit tcp any host 192.168.3.3 eq ssh
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network SSH_SERVER
nat (DMZ,OUTSIDE) static interface service tcp ssh 10022
Additional Information:
Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3, packet dispatched to next module
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow
If something gets natted when it shouldn’t, or doesn’t get natted when it should…it’ll show up. If an access-list drops something, it will show.
Let’s break down this line:
nat (outside,inside_1) source static any any destination static interface inside-server service RDP-33320 RDP-3389 no-proxy-arp
We translate traffic routed from the outside to the inside:
nat (outside,inside_1)
We do static nat (1:1):
source static
For any source:
any
For this mapped source:
any
For this destination:
destination static interface inside-server
Where inside-server
is an object with probably the IP address of your server?
For real service:
service RDP-33320
That probably has TCP 33320
And mapped service:
RDP-3389
That probably has TCP 3389. You don’t want the ASA to respond to ARP requests for IP addresses that belong to the subnet of the interface:
no-proxy-arp
I tried a similar NAT rule like yours:
nat (OUTSIDE,DMZ) source static any any destination static interface TELNET_SERVER service TCP_10023 TCP_23
It installs two entries:
ASA1(config)# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from OUTSIDE:0.0.0.0/0 0 to DMZ:0.0.0.0/0 0
flags srIT idle 0:00:40 timeout 0:00:00
TCP PAT from DMZ:192.168.3.3 23-23 to OUTSIDE:192.168.2.254 10023-10023
flags srT idle 0:00:40 timeout 0:00:00
If you look at the first line, you can see it adds an Identity NAT entry:
Identity NAT translates the real IP address to the same IP address. Only “translated” hosts can create NAT translations and responding traffic is allowed back.
This messes up your Internet access, it translates your private IP address to the same private IP addresses.
Your port translation partly works. When you connect to TCP 33320 then it gets translated to TCP 3389.
Also, make sure you have an access-list that permits the real port number. Not the translated one.
Your internet NAT line works:
nat (any,outside) source dynamic any-inside-networks interface description Allow Inside to Ouside
And shows up like this:
ASA1(config)# show xlate
3 in use, 4 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from OUTSIDE:0.0.0.0/0 to any:0.0.0.0/0
flags sIT idle 0:00:47 timeout 0:00:00
If you want to get port forwarding and Internet access working, I would remove both NAT entries and replace them with this:
object network inside-server
nat (DMZ,OUTSIDE) static interface service tcp 3389 33320
object network any-inside-networks
nat (DMZ,OUTSIDE) dynamic interface
And an access-list that permits TCP 3389. That’s all you need.
Hope this helps!
Rene